Framework/Configurations/SVT/Services/KeyVault.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
{
    "FeatureName": "KeyVault",
    "Reference": "aka.ms/azsktcp/keyvault",
    "IsMaintenanceMode": false,
    "Controls": [
      {
        "ControlID": "Azure_KeyVault_AuthN_Use_Cert_Auth_for_Apps",
        "Description": "Azure Active Directory applications, which have access to Key Vault, must use certificate to authenticate to Key Vault",
        "Id": "KeyVault110",
        "ControlSeverity": "High",
        "Automated": "Yes",
        "MethodName": "CheckAppAuthenticationCertificate",
        "Rationale": "Password/shared secret credentials can be easily shared and hence can be easily compromised. Certificate credentials offer better security.",
        "Recommendation": "Remove any password credentials from Azure AD Applications and use certificate credentials instead. Run command Remove-AzureADApplicationPasswordCredential -InformationAction '{ActionPreference}' -InformationVariable '{InformationVariable}' -KeyId '{KeyId}' -ObjectId '{ObjectId}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadapplicationpasswordcredential?view=azureadps-2.0, https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad",
        "Tags": [
          "SDL",
          "TCP",
          "Automated",
          "AuthN",
          "OwnerAccess"
        ],
        "Enabled": true
      },
                     {
                         "ControlID": "Azure_KeyVault_AuthN_Dont_Share_KeyVault_Unless_Trust",
                         "Description": "Applications must not share a Key Vault unless they trust each other and they need access to the same secrets at runtime",
                         "Id": "KeyVault120",
                         "ControlSeverity": "High",
                         "Automated": "Yes",
                         "MethodName": "CheckAppsSharingKayVault",
                         "Rationale": "Key Vault contains critical information like credentials/secrets etc. All applications can access all secrets from a given Key Vault. This can violate trust boundaries between applications.",
                         "Recommendation": "Ensure that there is a clear need for apps to share secrets if they are sharing a Key Vault. Else setup independent Key Vaults for each application.",
                         "Tags": [
                                      "SDL",
                                      "TCP",
                                      "Automated",
                                      "AuthN"
                                  ],
                         "Enabled": true
                     },
                     {
                         "ControlID": "Azure_KeyVault_AuthZ_Grant_Min_RBAC_Access",
                         "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)",
                         "Id": "KeyVault130",
                         "ControlSeverity": "High",
                         "Automated": "Yes",
                         "MethodName": "CheckRBACAccess",
                         "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
                         "Recommendation": "Remove any excessive privileges granted on the Key Vault. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Assign 'Key Vault Contributor' RBAC role to developers who need to manage Key Vault configurations. Refer: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell",
                         "Tags": [
                                      "SDL",
                                      "TCP",
                                      "Automated",
                                      "AuthZ",
                                      "RBAC"
                                  ],
                         "Enabled": true
                     },
                     {
                         "ControlID": "Azure_KeyVault_AuthZ_Grant_Min_Access_policies",
                         "Description": "All Key Vault access policies must be defined with minimum required permissions to keys and secrets",
                         "Id": "KeyVault140",
                         "ControlSeverity": "High",
                         "Automated": "Yes",
                         "MethodName": "CheckAccessPolicies",
                         "Rationale": "Granting minimum access by defining Key Vault access policies ensures that applications/users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
                         "Recommendation": "Use command Set-AzureRmKeyVaultAccessPolicy -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -PermissionsToKeys '{PermissionsToKeys}' -PermissionsToSecrets '{PermissionsToSecrets}' -PermissionsToCertificates '{PermissionsToCertificates}' -ObjectId '{ObjectId}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurermkeyvaultaccesspolicy",
                         "Tags": [
                                      "SDL",
                                      "TCP",
                                      "Automated",
                                      "AuthZ",
                                      "RBAC"
                                  ],
                         "Enabled": true
                     },
                     {
                         "ControlID": "Azure_KeyVault_AuthZ_Configure_Advanced_Access_Policies",
                         "Description": "Advanced access policies must be configured on a need basis",
                         "Id": "KeyVault150",
                        "ControlSeverity": "Medium",
                         "Automated": "Yes",
                         "MethodName": "CheckAdvancedAccessPolicies",
                         "Rationale": "Advanced access policy allows Azure services (Azure Resource Manager, Virtual Machine, Disk Encryption etc.) to seamlessly access Key Vault. To avoid unintentional access to Key Vault from Azure services, advanced access policies must be configured only as required.",
                         "Recommendation": "Remove any advanced policies that are not required using the command: Remove-AzureRmKeyVaultAccessPolicy -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -EnabledForDeployment -EnabledForTemplateDeployment -EnabledForDiskEncryption. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/remove-azurermkeyvaultaccesspolicy",
                         "Tags": [
                                      "SDL",
                                      "TCP",
                                      "Automated",
                                      "AuthZ"
                                  ],
                         "Enabled": true
                     },
                     {
                         "ControlID": "Azure_KeyVault_DP_Keys_Protect_By_HSM",
                         "Description": "All Keys in Key Vault must be protected by HSM [Key Type = HSM Protected Key]",
                         "Id": "KeyVault160",
                         "ControlSeverity": "Medium",
                         "Automated": "Yes",
                         "MethodName": "CheckKeyHSMProtected",
                         "Rationale": "A hardware security module (HSM) is a physical device that provides extra security for sensitive data like Keys. HSMs make sure that the keys never leave the HSM boundary throughout their lifecycle. Using HSMs for key protection is required for keys that encrypt highly sensitive data (often in regulated environments).",
                         "Recommendation": "Remove the non-HSM keys and recreate the removed ones within a destination Key Vault of type HSM. Run command Remove-AzureKeyVaultKey -VaultName '{KeyVaultName}' -Name '{KeyName}' to remove non-HSM key. Use command Add-AzureKeyVaultKey -VaultName '{VaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}' -Destination 'HSM' -KeyOps '{KeyOps}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/add-azurekeyvaultkey, https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/remove-azurekeyvaultkey",
                         "Tags": [
                                      "SDL",
                                      "TCP",
                                      "Automated",
                                      "DP"
                                  ],
                         "Enabled": true
                     },
      {
         "ControlID": "Azure_KeyVault_DP_Keys_Secrets_Check_Expiry_Date",
         "Description": "All Keys and Secrets in Key Vault must have expiration dates",
         "Id": "KeyVault170",
         "ControlSeverity": "Medium",
         "Automated": "Yes",
         "MethodName": "CheckKeyExpirationDate",
         "Rationale": "Expiration dates on keys ensure that keys are rotated on a periodic basis. Key rotation is an important security hygiene activity.",
         "Recommendation": "To add an expiry date to keys, run command: Set-AzureKeyVaultKeyAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}'. Expiry date should not be more than $($this.ControlSettings.KeyVault.KeyRotationDuration_Days) days for keys. To add an expiry date to secrets, run command: Set-AzureKeyVaultSecretAttribute -VaultName '{KeyVaultName}' -Name '{SecreName}' -Expires '{ExpiryDate}', Expiry date should not be more than $($this.ControlSettings.KeyVault.SecretRotationDuration_Days) days for secrets.",
         "Tags": [
            "SDL",
            "TCP",
            "Automated",
            "DP",
            "KeyRotation",
            "OwnerAccess",
            "KeyVaultAccess"
         ],
         "Enabled": true
      },
                     {
                         "ControlID": "Azure_KeyVault_Audit_Enable_Diagnostics_Log",
                         "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.",
                         "Id": "KeyVault180",
                         "ControlSeverity": "Medium",
                         "Automated": "Yes",
                         "MethodName": "CheckDiagnosticsSettings",
                         "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.",
                         "Recommendation": "Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable `$true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled `$true",
                         "Tags": [
                                      "SDL",
                                      "TCP",
                                      "Automated",
                                      "Audit",
                                      "Diagnostics"
                                  ],
                         "Enabled": true
                     },
                     {
                         "ControlID": "Azure_KeyVault_AuthN_Key_Min_Operation",
                         "Description": "Restrict the cryptographic operations permitted using keys to the ones actually required",
                         "Id": "KeyVault190",
                         "ControlSeverity": "High",
                         "Automated": "Yes",
                         "MethodName": "CheckKeyMinimumOperations",
                         "Rationale": "Restricting the operations to be performed on Keys ensures that applications/users can perform only intended operations. This minimizes exposure of the Keys in case of user/service account compromise.",
                         "Recommendation": "Run command Set-AzureKeyVaultKeyAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -KeyOps '{KeyOps}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurekeyvaultkeyattribute",
                         "Tags": [
                                      "SDL",
                                      "TCP",
                                      "Automated",
                                      "AuthN"
                                  ],
                         "Enabled": true
                     },
                     {
                         "ControlID": "Azure_KeyVault_DP_Identify_Roles",
                         "Description": "Key Vault owner must grant minimum required access to keys/secrets based on individual roles (Developer/Operator/Auditor/Security Team)",
                         "Id": "KeyVault200",
                         "ControlSeverity": "High",
                         "Automated": "No",
                         "MethodName": "",
                         "Rationale": "Identifying and assigning various roles ensures proper separation of duties.",
                         "Recommendation": "Key Vault owner must identify different roles that need various levels of access on keyvault keys/secrets and configure them using a least privilege model. Refer: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault",
                         "Tags": [
                                      "SDL",
                                      "TCP",
                                      "Manual",
                                      "DP"
                                  ],
                         "Enabled": true
                     },
                     {
                         "ControlID": "Azure_KeyVault_DP_Rotate_Key_Periodocally",
                         "Description": "Keys/secrets must be rotated periodically",
                         "Id": "KeyVault210",
                         "ControlSeverity": "Medium",
                         "Automated": "No",
                         "MethodName": "",
                         "Rationale": "Periodic key/password rotation is a good security hygiene practice as, over time, it minimizes the likelihood of data loss/compromise which can arise from key theft/brute forcing/recovery attacks.",
                         "Recommendation": "Rotate the keys and secrets at regular intervals. Run command: Set-AzureKeyVaultKeyAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}' -Version '{Version}' to generate new version for key. Run command: Set-AzureKeyVaultSecretAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}' -Version '{Version}' to generate new version for secret.",
                         "Tags": [
                                      "SDL",
                                      "TCP",
                                      "Manual",
                                      "DP"
                                  ],
                         "Enabled": true
                     },
      {
        "ControlID": "Azure_KeyVault_Audit_Review_Logs",
        "Description": "Diagnostic logs for Key Vault must be reviewed periodically",
        "Id": "KeyVault220",
        "ControlSeverity": "Medium",
        "Automated": "No",
        "MethodName": "",
        "Rationale": "Periodic reviews of diagnostics, activity and audit logs ensures that anomalous activity can be identified early enough instead of after a major compromise.",
        "Recommendation": "Review diagnostic logs at regular intervals for different operations carried out on keys and secrets. Refer: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-azure-key-vault",
        "Tags": [
          "SDL",
          "TCP",
          "Manual",
          "Audit"
        ],
        "Enabled": true
      },
      {
      "ControlID": "Azure_KeyVault_SI_Enable_SoftDelete",
      "Description": "Soft delete must be enabled to allow recovery of deleted Key Vault and any objects (keys, secrets, etc.) contained in it.",
      "Id": "KeyVault230",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckKeyVaultSoftDelete",
      "Rationale": "Enabling soft delete feature on Key Vault acts as a safety measure to recover inadvertently or maliciously deleted Key Vault and any objects (keys, secrets, etc.) contained in it.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-powershell to enable soft delete feature on Key Vault.",
      "Tags": [
         "SDL",
         "TCP",
         "Automated"
 
      ],
      "Enabled": true
   }
                 ]
}