Azure Key Vault 安全性Azure Key Vault security

使用 Azure Key Vault 可以保护云中的加密密钥和机密,例如证书、连接字符串和密码。You use Azure Key Vault to protect encryption keys and secrets like certificates, connection strings, and passwords in the cloud. 存储敏感数据和关键业务数据时,需要采取措施来最大限度地提高保管库及其存储的数据的安全性。When storing sensitive and business critical data, you need to take steps to maximize the security of your vaults and the data stored in them.

本文概述了 Azure Key Vault 的安全功能和最佳做法。This article provides an overview of security features and best practices for Azure Key Vault.

网络安全性Network security

可以通过指定哪些 IP 地址有权访问来减少保管库的曝光。You can reduce the exposure of your vaults by specifying which IP addresses have access to them. 通过 Azure Key Vault 的虚拟网络服务终结点可将访问限制为指定虚拟网络。The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. 此外,还可通过这些终结点将访问限制为一系列 IPv4(Internet 协议版本 4)地址范围。The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. 任何从外部连接到 Key Vault 的用户都无法访问这些资源。Any user connecting to your key vault from outside those sources is denied access. 有关完整的详细信息,请参阅适用于 Azure Key Vault 的虚拟网络服务终结点For full details, see Virtual network service endpoints for Azure Key Vault

防火墙规则生效后,仅当用户请求来自允许的虚拟网络或 IPv4 地址范围时,才能读取 Key Vault 中的数据。After firewall rules are in effect, users can only read data from Key Vault when their requests originate from allowed virtual networks or IPv4 address ranges. 从 Azure 门户访问 Key Vault 时,这同样适用。This also applies to accessing Key Vault from the Azure portal. 虽然用户可从 Azure 门户浏览到 Key Vault,但如果其客户端计算机不在允许列表中,则可能无法列出密钥、机密或证书。Although users can browse to a key vault from the Azure portal, they might not be able to list keys, secrets, or certificates if their client machine is not in the allowed list. 这也会影响其他 Azure 服务的 Key Vault 选取器。This also affects the Key Vault Picker by other Azure services. 如果防火墙规则阻止了用户的客户端计算机,则用户可以查看 Key Vault 列表,但不能查看列表密钥。Users might be able to see list of key vaults, but not list keys, if firewall rules prevent their client machine. 有关实施步骤,请参阅配置 Azure Key Vault 防火墙和虚拟网络For implementation steps, see Configure Azure Key Vault firewalls and virtual networks

使用 Azure 专用链接服务,可以通过虚拟网络中的专用终结点访问 Azure Key Vault 和 Azure 托管的客户服务/合作伙伴服务。Azure Private Link Service enables you to access Azure Key Vault and Azure hosted customer/partner services over a Private Endpoint in your virtual network. Azure 专用终结点是一个网络接口,可以通过私密且安全的方式将你连接到 Azure 专用链接支持的服务。An Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. 专用终结点使用 VNet 中的专用 IP 地址将服务有效接入 VNet 中。The private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet. 发往服务的所有流量都可以通过专用终结点路由,因此不需要网关、NAT 设备、ExpressRoute 或 VPN 连接或公共 IP 地址。All traffic to the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. 虚拟网络与服务之间的流量将通过 Microsoft 主干网络,因此不会从公共 Internet 泄露。Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. 可以连接到 Azure 资源的实例,从而获得最高级别的访问控制粒度。You can connect to an instance of an Azure resource, giving you the highest level of granularity in access control. 有关实施步骤,请参阅将 Key Vault 与 Azure 专用链接集成For implementation steps, see Integrate Key Vault with Azure Private Link

TLS 和 HTTPSTLS and HTTPS

  • Key Vault 前端(数据平面)是多租户服务器。The Key Vault front end (data plane) is a multi-tenant server. 这意味着不同客户的密钥保管库可以共享同一公共 IP 地址。This means that key vaults from different customers can share the same public IP address. 为实现隔离,每个 HTTP 请求均独立于其他请求进行身份验证和授权。In order to achieve isolation, each HTTP request is authenticated and authorized independently of other requests.
  • 可以标识较旧版本的 TLS 来报告漏洞,但由于公共 IP 地址是共享的,因此密钥保管库服务团队无法在传输级别为单个密钥保管库禁用较旧版本的 TLS。You may identify older versions of TLS to report vulnerabilities but because the public IP address is shared, it is not possible for key vault service team to disable old versions of TLS for individual key vaults at transport level.
  • HTTPS 协议允许客户端参与 TLS 协商。The HTTPS protocol allows the client to participate in TLS negotiation. 客户端可以强制实施最新版的 TLS,并且当客户端执行此操作时,整个连接将采用相应级别的保护。Clients can enforce the most recent version of TLS, and whenever a client does so, the entire connection will use the corresponding level protection. Key Vault 仍支持较旧版的 TLS,但这不会影响使用较新版 TLS 的连接的安全性。The fact that Key Vault still supports older TLS versions won’t impair the security of connections using newer TLS versions.
  • 尽管 TLS 协议中存在已知漏洞,但在已知的攻击中,当攻击者使用存在漏洞的 TLS 版本启动某个连接时,尚无法通过恶意代理从密钥保管库中提取任何信息。Despite known vulnerabilities in TLS protocol, there is no known attack that would allow a malicious agent to extract any information from your key vault when the attacker initiates a connection with a TLS version that has vulnerabilities. 攻击者仍需要进行身份验证和授权,并且只要有权限的客户端始终连接最新版 TLS,凭据就不会通过旧版 TLS 的漏洞泄漏。The attacker would still need to authenticate and authorize itself, and as long as legitimate clients always connect with recent TLS versions, there is no way that credentials could have been leaked from vulnerabilities at old TLS versions.

身份管理Identity management

在 Azure 订阅中创建密钥保管库时,该密钥保管库自动与订阅的 Azure AD 租户关联。When you create a key vault in an Azure subscription, it's automatically associated with the Azure AD tenant of the subscription. 尝试管理或检索保管库内容的任何人都必须通过 Azure AD 进行身份验证。Anyone trying to manage or retrieve content from a vault must be authenticated by Azure AD. 在这两种情况下,应用程序都可以通过三种方式来访问 Key Vault:In both cases, applications can access Key Vault in three ways:

  • 仅应用程序:该应用程序表示服务主体或托管标识。Application-only: The application represents a service principal or managed identity. 对于需要定期从密钥保管库中访问证书、密钥或机密的应用程序而言,此标识是最常见的方案。This identity is the most common scenario for applications that periodically need to access certificates, keys, or secrets from the key vault. 为了让这种方案起作用,必须在访问策略中指定应用程序的 objectId,并且不能指定 applicationId,或者它必须为 nullFor this scenario to work, the objectId of the application must be specified in the access policy and the applicationId must not be specified or must be null.
  • 仅用户:用户从租户中注册的任何应用程序访问密钥保管库。User-only: The user accesses the key vault from any application registered in the tenant. 此类访问的示例包括 Azure PowerShell 和 Azure 门户。Examples of this type of access include Azure PowerShell and the Azure portal. 这了让这种该方案起作用,必须在访问策略中指定用户的 objectId,并且不能指定 applicationId,或者它必须为 nullFor this scenario to work, the objectId of the user must be specified in the access policy and the applicationId must not be specified or must be null.
  • 应用程序和用户(有时称为“复合标识”):用户需要从特定应用程序访问密钥保管库,并且该应用程序必须使用代理身份验证 (OBO) 流来模拟用户。Application-plus-user (sometimes referred as compound identity): The user is required to access the key vault from a specific application and the application must use the on-behalf-of authentication (OBO) flow to impersonate the user. 要使此方案起作用,必须在访问策略中指定 applicationIdobjectIdFor this scenario to work, both applicationId and objectId must be specified in the access policy. applicationId 标识所需的应用程序,objectId 标识用户。The applicationId identifies the required application and the objectId identifies the user. 目前,此选项不可用于数据平面 Azure RBAC。Currently, this option isn't available for data plane Azure RBAC.

在所有类型的访问中,应用程序都使用 Azure AD 进行身份验证。In all types of access, the application authenticates with Azure AD. 应用程序根据应用程序类型使用任何支持的身份验证方法The application uses any supported authentication method based on the application type. 应用程序通过获取平面中资源的令牌来授予访问权限。The application acquires a token for a resource in the plane to grant access. 资源是管理平面或数据平面中基于 Azure 环境的终结点。The resource is an endpoint in the management or data plane, based on the Azure environment. 应用程序使用令牌并向密钥保管库发送 REST API 请求。The application uses the token and sends a REST API request to Key Vault. 若要了解详细信息,请查看整个身份验证流To learn more, review the whole authentication flow.

有关完整的详细信息,请参阅 Key Vault 身份验证基础知识For full details, see Key Vault Authentication Fundamentals

特权访问Privileged access

授权可确定调用方能够执行的操作。Authorization determines which operations the caller can perform. Key Vault 中的授权使用基于 Azure 角色的访问控制 (Azure RBAC) 和 Azure Key Vault 访问策略的组合。Authorization in Key Vault uses a combination of Azure role-based access control (Azure RBAC) and Azure Key Vault access policies.

可以通过两个接口或平面访问保管库。Access to vaults takes place through two interfaces or planes. 这些平面为管理平面和数据平面。These planes are the management plane and the data plane.

  • 管理平面是管理 Key Vault 本身的地方,也是用于创建和删除保管库的接口。The management plane is where you manage Key Vault itself and it is the interface used to create and delete vaults. 还可以读取密钥保管库属性并管理访问策略。You can also read key vault properties and manage access policies.
  • 数据平面支持处理密钥保管库中存储的数据。The data plane allows you to work with the data stored in a key vault. 可以添加、删除和修改密钥、机密及证书。You can add, delete, and modify keys, secrets, and certificates.

应用程序通过终结点访问平面。Applications access the planes through endpoints. 两个平面的访问控制独立运行。The access controls for the two planes work independently. 若要授权应用程序使用密钥保管库中的密钥,可使用 Key Vault 访问策略或 Azure RBAC 授予数据平面访问权限。To grant an application access to use keys in a key vault, you grant data plane access by using a Key Vault access policy or Azure RBAC. 若要授予用户对 Key Vault 属性和标记的读取访问权限,但不授予对数据(密钥、机密或证书)的访问权限,请使用 Azure RBAC 来授予管理平面访问权限。To grant a user read access to Key Vault properties and tags, but not access to data (keys, secrets, or certificates), you grant management plane access with Azure RBAC.

下表显示了用于管理平面和数据平面的终结点。The following table shows the endpoints for the management and data planes.

访问 平面Access plane 访问终结点Access endpoints 操作Operations 访问 控制机制Access control mechanism
管理平面Management plane Azure 中国世纪互联:Azure China 21Vianet:
management.chinacloudapi.cn:443management.chinacloudapi.cn:443

创建、读取、更新和删除密钥保管库Create, read, update, and delete key vaults

设置密钥保管库访问策略Set Key Vault access policies

设置密钥保管库标记Set Key Vault tags
Azure RBACAzure RBAC
数据平面Data plane Azure 中国世纪互联:Azure China 21Vianet:
<vault-name>.vault.azure.cn:443<vault-name>.vault.azure.cn:443

密钥:加密、解密、包装密钥、解包密钥、签名、验证、获取、列出、创建、更新、导入、删除、恢复、备份、还原、清除Keys: encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, recover, backup, restore, purge

证书:管理联系人、获取颁发者、列出颁发者、设置颁发者、删除颁发者、管理颁发者、获取、列出、创建、导入、更新、删除、恢复、备份、还原、清除Certificates: managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, get, list, create, import, update, delete, recover, backup, restore, purge

机密:获取、列出、设置、删除、恢复、备份、还原、清除Secrets: get, list, set, delete,recover, backup, restore, purge
Key Vault 访问策略或 Azure RBAC(预览版)Key Vault access policy or Azure RBAC (preview)

管理对 Key Vault 的管理访问权限Managing administrative access to Key Vault

在资源组中创建密钥保管库时,使用 Azure AD 管理访问权限。When you create a key vault in a resource group, you manage access by using Azure AD. 授予用户或组管理资源组中的密钥保管库的权限。You grant users or groups the ability to manage the key vaults in a resource group. 可以通过分配适当的 Azure 角色在特定范围级别授予访问权限。You can grant access at a specific scope level by assigning the appropriate Azure roles. 若要授予用户管理密钥保管库的访问权限,请为特定范围的用户分配预定义的 key vault Contributor 角色。To grant access to a user to manage key vaults, you assign a predefined key vault Contributor role to the user at a specific scope. 可以将以下范围级别分配给 Azure 角色:The following scopes levels can be assigned to an Azure role:

  • 订阅:在订阅级别分配的 Azure 角色适用于该订阅中的所有资源组和资源。Subscription: An Azure role assigned at the subscription level applies to all resource groups and resources within that subscription.
  • 资源组:在资源组级别分配的 Azure 角色适用于该资源组中的所有资源。Resource group: An Azure role assigned at the resource group level applies to all resources in that resource group.
  • 特定资源:为特定资源分配的 Azure 角色适用于该资源。Specific resource: An Azure role assigned for a specific resource applies to that resource. 在这种情况下,资源是特定的密钥保管库。In this case, the resource is a specific key vault.

有多种预定义角色。There are several predefined roles. 如果预定义角色不符合需求,可以定义自己的角色。If a predefined role doesn't fit your needs, you can define your own role. 有关详细信息,请参阅 Azure RBAC:内置角色For more information, see Azure RBAC: Built-in roles.

重要

如果用户具有密钥保管库管理平面的 Contributor 权限,则该用户可以通过设置密钥保管库访问策略来授予自己对数据平面的访问权限。If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. 应严格控制对密钥保管库具有 Contributor 角色访问权限的用户。You should tightly control who has Contributor role access to your key vaults. 请确保仅授权的人员才能访问和管理 Key Vault、密钥、机密和证书。Ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.

控制对 Key Vault 数据的访问Controlling access to Key Vault data

Key Vault 访问策略单独授予对密钥、机密或证书的权限。Key Vault access policies grant permissions separately to keys, secrets, or certificate. 可以仅授予用户对密钥的访问权限,而不授予对机密的访问权限。You can grant a user access only to keys and not to secrets. 在保管库级别管理密钥、机密或证书的访问权限。Access permissions for keys, secrets, and certificates are managed at the vault level.

重要

密钥保管库访问策略不支持粒度、对象级别权限,例如特定的密钥、机密或证书。Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate. 如果授予某个用户创建和删除密钥的权限,该用户可以针对该密钥保管库中的所有密钥执行这些操作。When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault.

可以使用 Azure 门户Azure CLIAzure PowerShell密钥保管库管理 REST API 为密钥保管库设置访问策略。You can set access policies for a key vault use the Azure portal, the Azure CLI, Azure PowerShell, or the Key Vault Management REST APIs.

可以通过使用适用于 Azure 密钥保管库的虚拟网络服务终结点来限制数据平面访问权限)。You can restrict data plane access by using virtual network service endpoints for Azure Key Vault). 可以配置防火墙和虚拟网络规则以提供额外的安全层。You can configure firewalls and virtual network rules for an additional layer of security.

日志记录和监视Logging and monitoring

Key Vault 日志记录会保存保管库中所执行活动的相关信息。Key Vault logging saves information about the activities performed on your vault. 有关完整详细信息,请参阅 Key Vault 日志记录For full details, see Key Vault logging.

你可以将 Key Vault 与事件网格集成,以便在密钥保管库中存储的密钥、证书或机密的状态发生更改时收到通知。You can integrate Key Vault with Event Grid to be notified when the status of a key, certificate, or secret stored in key vault has changed.

还必须监视密钥保管库的运行状况,以确保服务按预期运行。It is also important to monitor the health of your key vault, to make sure your service operates as intended. 若要了解如何执行此操作,请参阅 Azure Key Vault 的监视和警报To learn how to do so, see Monitoring and alerting for Azure Key Vault.

备份和恢复Backup and recovery

Azure Key Vault 软删除和清除保护允许你恢复已删除的保管库和保管库对象。Azure Key Vault soft-delete and purge protection allows you to recover deleted vaults and vault objects. 有关完整的详细信息,请参阅 Azure Key Vault 软删除概述For full details, see Azure Key Vault soft-delete overview.

在保管库中更新/删除/创建对象时,你还应定期备份保管库。You should also take regular back ups of your vault on update/delete/create of objects within a Vault.

后续步骤Next Steps