|
| 1 | +--- |
| 2 | +title: Security recommendations for Azure Key Vault |
| 3 | +description: Security recommendations for Azure Key Vault. Implementing this guidance will help you fulfill your security obligations as described in our shared responsibility model |
| 4 | +services: key-vault |
| 5 | +author: barclayn |
| 6 | +manager: rkarlin |
| 7 | +ms.service: key-vault |
| 8 | +ms.topic: article |
| 9 | +ms.date: 09/19/2019 |
| 10 | +ms.author: barclayn |
| 11 | +ms.custom: security-recommendations |
| 12 | + |
| 13 | +--- |
| 14 | + |
| 15 | +# Security recommendations for Azure Key Vault |
| 16 | + |
| 17 | +This article contains security recommendations for Azure App Service. Implementing these recommendations will help you fulfill your security obligations as described in our shared responsibility model and will improve the overall security for your Web App solutions. For more information on what Microsoft does to fulfill service provider responsibilities, read [Shared responsibilities for cloud computing](https://gallery.technet.microsoft.com/Shared-Responsibilities-81d0ff91/file/153019/1/Shared%20responsibilities%20for%20cloud%20computing.pdf). |
| 18 | + |
| 19 | +Some of the recommendations included in this article can be automatically monitored by Azure Security Center. Azure Security Center is the first line of defense in protecting your resources in Azure. It periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. It then provides you with recommendations on how to address them. |
| 20 | + |
| 21 | +- For more information on Azure Security Center recommendations, see [Security recommendations in Azure Security Center](../security-center/security-center-recommendations.md). |
| 22 | +- For information on Azure Security Center see the [What is Azure Security Center?](../security-center/security-center-intro.md) |
| 23 | + |
| 24 | +## Recommendations |
| 25 | + |
| 26 | +| Category | Recommendation | Comments | Security Center | |
| 27 | +|-|-|----|--| |
| 28 | +| Data protection |Enable soft delete | [Soft delete](key-vault-ovw-soft-delete.md) allows you to recover deleted vaults and vault objects | - | |
| 29 | +| Data protection | Limit access to vault data | Follow the principle of least privilege and limit which members of your organization have access to vault data | - | |
| 30 | +| Identity and access management | Limit the number of users with contributor access | If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. You should tightly control who has Contributor role access to your key vaults. Ensure that only those with a need for access authorized persons can access and manage your vaults. You can read [Secure access to a key vault](key-vault-secure-your-key-vault.md) | - | |
| 31 | +| Monitoring | Diagnostics logs in Key Vault should be enabled | Enable logs and retain them up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. | [Yes](../security-center/security-center-identity-access.md) | |
| 32 | +| Monitoring | Restrict who can access your Azure Key vault logs | [Key Vault logs](key-vault-logging.md) save information about the activities performed on your vault such as creation or deletion of vaults, keys, secrets and may be used during an investigation | - | |
| 33 | +| Networking |Limit network exposure | Network access should be limited to the virtual networks used by solutions requiring vault access. Review information on [Virtual network service endpoints for Azure Key Vault](key-vault-overview-vnet-service-endpoints.md) | - | |
| 34 | + |
| 35 | +## Next steps |
| 36 | + |
| 37 | +Check with your application provider to see if there are additional security requirements. For more information on developing secure applications, see [Secure Development Documentation](../security/fundamentals/abstract-develop-secure-apps.md). |
0 commit comments