Azure Key Vault 安全性Azure Key Vault security

使用 Azure Key Vault 可以保护云中的加密密钥和机密,例如证书、连接字符串和密码。You use Azure Key Vault to protect encryption keys and secrets like certificates, connection strings, and passwords in the cloud. 存储敏感数据和关键业务数据时,需要采取措施来最大限度地提高保管库及其存储的数据的安全性。When storing sensitive and business critical data, you need to take steps to maximize the security of your vaults and the data stored in them.

标识和访问管理Identity and access management

在 Azure 订阅中创建密钥保管库时,该密钥保管库自动与订阅的 Azure AD 租户关联。When you create a key vault in an Azure subscription, it's automatically associated with the Azure AD tenant of the subscription. 尝试管理或检索保管库内容的任何人都必须通过 Azure AD 进行身份验证。Anyone trying to manage or retrieve content from a vault must be authenticated by Azure AD.

  • 身份验证可确定调用方的身份。Authentication establishes the identity of the caller.
  • 授权可确定调用方能够执行的操作。Authorization determines which operations the caller can perform. Key Vault 中的授权使用了基于角色的访问控制 (RBAC) 和 Azure Key Vault 访问策略的组合。Authorization in Key Vault uses a combination of Role based access control (RBAC) and Azure Key Vault access policies.

访问模型概述Access model overview

可以通过两个接口或平面访问保管库。Access to vaults takes place through two interfaces or planes. 这些平面为管理平面和数据平面。These planes are the management plane and the data plane.

  • 管理平面是管理 Key Vault 本身的地方,也是用于创建和删除保管库的接口。The management plane is where you manage Key Vault itself and it is the interface used to create and delete vaults. 还可以读取密钥保管库属性并管理访问策略。You can also read key vault properties and manage access policies.
  • 数据平面支持处理密钥保管库中存储的数据。The data plane allows you to work with the data stored in a key vault. 可以添加、删除和修改密钥、机密及证书。You can add, delete, and modify keys, secrets, and certificates.

若要在任一平面中访问密钥,所有调用方(用户或应用程序)都必须进行身份验证并获得授权。To access a key vault in either plane, all callers (users or applications) must be authenticated and authorized. 对于身份验证,这两个平面都使用 Azure Active Directory (Azure AD)。Both planes use Azure Active Directory (Azure AD) for authentication. 对于授权,管理平面使用基于角色的访问控制 (RBAC),而数据平面使用密钥保管库访问策略。For authorization, the management plane uses role-based access control (RBAC) and the data plane uses a Key Vault access policy.

对这两种平面使用单一身份验证机制模型具有多个优点:The model of a single mechanism for authentication to both planes has several benefits:

  • 组织可以集中控制对其组织中的所有密钥保管库的访问。Organizations can control access centrally to all key vaults in their organization.
  • 离职的用户会立即失去对组织中所有密钥保管库的访问权限。If a user leaves, they instantly lose access to all key vaults in the organization.
  • 组织可以通过 Azure AD 中的选项自定义身份验证(例如,启用多重身份验证以提高安全性)。Organizations can customize authentication by using the options in Azure AD, such as to enable multi-factor authentication for added security.

管理对 Key Vault 的管理访问权限Managing administrative access to Key Vault

在资源组中创建密钥保管库时,使用 Azure AD 管理访问权限。When you create a key vault in a resource group, you manage access by using Azure AD. 授予用户或组管理资源组中的密钥保管库的权限。You grant users or groups the ability to manage the key vaults in a resource group. 可以通过分配适当的 Azure 角色在特定范围级别授予访问权限。You can grant access at a specific scope level by assigning the appropriate Azure roles. 若要授予用户管理密钥保管库的访问权限,请为特定范围的用户分配预定义的 key vault Contributor 角色。To grant access to a user to manage key vaults, you assign a predefined key vault Contributor role to the user at a specific scope. 可以将以下范围级别分配给 Azure 角色:The following scopes levels can be assigned to an Azure role:

  • 订阅:在订阅级别分配的 Azure 角色适用于该订阅中的所有资源组和资源。Subscription: An Azure role assigned at the subscription level applies to all resource groups and resources within that subscription.
  • 资源组:在资源组级别分配的 Azure 角色适用于该资源组中的所有资源。Resource group: An Azure role assigned at the resource group level applies to all resources in that resource group.
  • 特定资源:为特定资源分配的 Azure 角色适用于该资源。Specific resource: An Azure role assigned for a specific resource applies to that resource. 在这种情况下,资源是特定的密钥保管库。In this case, the resource is a specific key vault.

有多种预定义角色。There are several predefined roles. 如果预定义角色不符合需求,可以定义自己的角色。If a predefined role doesn't fit your needs, you can define your own role. 有关详细信息,请参阅 RBAC:内置角色For more information, see RBAC: Built-in roles.

重要

如果用户具有密钥保管库管理平面的 Contributor 权限,则该用户可以通过设置密钥保管库访问策略来授予自己对数据平面的访问权限。If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. 应严格控制对密钥保管库具有 Contributor 角色访问权限的用户。You should tightly control who has Contributor role access to your key vaults. 请确保仅授权的人员才能访问和管理 Key Vault、密钥、机密和证书。Ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.

控制对 Key Vault 数据的访问Controlling access to Key Vault data

Key Vault 访问策略单独授予对密钥、机密或证书的权限。Key Vault access policies grant permissions separately to keys, secrets, or certificate. 可以仅授予用户对密钥的访问权限,而不授予对机密的访问权限。You can grant a user access only to keys and not to secrets. 在保管库级别管理密钥、机密或证书的访问权限。Access permissions for keys, secrets, and certificates are managed at the vault level.

重要

密钥保管库访问策略不支持粒度、对象级别权限,例如特定的密钥、机密或证书。Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate. 如果授予某个用户创建和删除密钥的权限,该用户可以针对该密钥保管库中的所有密钥执行这些操作。When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault.

可以使用 Azure 门户Azure CLIAzure PowerShell密钥保管库管理 REST API 为密钥保管库设置访问策略。You can set access policies for a key vault use the Azure portal, the Azure CLI, Azure PowerShell, or the Key Vault Management REST APIs.

可以通过使用适用于 Azure 密钥保管库的虚拟网络服务终结点来限制数据平面访问权限。You can restrict data plane access by using virtual network service endpoints for Azure Key Vault. 可以配置防火墙和虚拟网络规则以提供额外的安全层。You can configure firewalls and virtual network rules for an additional layer of security.

网络访问Network access

可以通过指定哪些 IP 地址有权访问来减少保管库的曝光。You can reduce the exposure of your vaults by specifying which IP addresses have access to them. 通过 Azure Key Vault 的虚拟网络服务终结点可将访问限制为指定虚拟网络。The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. 此外,还可通过这些终结点将访问限制为一系列 IPv4(Internet 协议版本 4)地址范围。The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. 任何从外部连接到 Key Vault 的用户都无法访问这些资源。Any user connecting to your key vault from outside those sources is denied access.

防火墙规则生效后,仅当用户请求来自允许的虚拟网络或 IPv4 地址范围时,才能读取 Key Vault 中的数据。After firewall rules are in effect, users can only read data from Key Vault when their requests originate from allowed virtual networks or IPv4 address ranges. 从 Azure 门户访问 Key Vault 时,这同样适用。This also applies to accessing Key Vault from the Azure portal. 虽然用户可从 Azure 门户浏览到 Key Vault,但如果其客户端计算机不在允许列表中,则可能无法列出密钥、机密或证书。Although users can browse to a key vault from the Azure portal, they might not be able to list keys, secrets, or certificates if their client machine is not in the allowed list. 这也会影响其他 Azure 服务的 Key Vault 选取器。This also affects the Key Vault Picker by other Azure services. 如果防火墙规则阻止了用户的客户端计算机,则用户可以查看 Key Vault 列表,但不能查看列表密钥。Users might be able to see list of key vaults, but not list keys, if firewall rules prevent their client machine.

有关 Azure Key Vault 网络地址的详细信息,请查看 Azure Key Vault 的虚拟网络服务终结点For more information on Azure Key Vault network address review Virtual network service endpoints for Azure Key Vault

监视Monitoring

Key Vault 日志记录会保存保管库中所执行活动的相关信息。Key Vault logging saves information about the activities performed on your vault. Key Vault 日志:Key Vault logs:

  • 所有经过身份验证的 REST API 请求,包括失败的请求All authenticated REST API requests, including failed requests
    • 对密钥保管库本身的操作。Operations on the key vault itself. 这些操作包括创建、删除、设置访问策略,以及更新密钥保管库属性(例如标记)。These operations include creation, deletion, setting access policies, and updating key vault attributes such as tags.
    • 对 Key Vault 中的密钥和机密执行的操作,包括:Operations on keys and secrets in the key vault, including:
      • 创建、修改或删除这些密钥或机密。Creating, modifying, or deleting these keys or secrets.
      • 签名、验证、加密、解密、包装和解包密钥、获取机密、列出密钥和机密(及其版本)。Signing, verifying, encrypting, decrypting, wrapping and unwrapping keys, getting secrets, and listing keys and secrets (and their versions).
  • 导致出现 401 响应的未经身份验证的请求。Unauthenticated requests that result in a 401 response. 例如,请求不包含持有者令牌、格式不正确或已过期,或者包含无效的令牌。Examples are requests that don't have a bearer token, that are malformed or expired, or that have an invalid token.

在密钥保管库运行后,可以在 10 分钟内访问日志记录信息。Logging information can be accessed within 10 minutes after the key vault operation. 存储帐户中的日志完全由你管理。It's up to you to manage your logs in your storage account.

  • 请使用标准的 Azure 访问控制方法限制可访问日志的人员,以此保护日志。Use standard Azure access control methods to secure your logs by restricting who can access them.
  • 删除不想继续保留在存储帐户中的日志。Delete logs that you no longer want to keep in your storage account.

有关如何安全地管理存储帐户的建议,请查看 Azure 存储安全指南For recommendation on securely managing storage accounts, review the Azure Storage security guide

后续步骤Next Steps