As a security admin, you need to ensure your cryptographic keys and secrets for cloud applications and services are safely stored. Azure Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data.

By using Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) using keys protected by hardware security modules (HSMs). Developers can create keys for development and testing in minutes, and then seamlessly migrate them to production keys. Security administrators can grant (and revoke) permission to keys, as needed.

If you are using Azure Key Vault it is important that you ensure it meets your security requirements in Azure. You can now reason on the KeyVault attribute from within the Dome9 Compliance Engine.  The accessPolicies section reflects the data configured at the KeyVault’s Advanced access policies blade in the Azure portal (permissions). You can reason on it as well.

Below are some examples of queries you can run in GSL within the Compliance Engine:

1. Non empty KeyVault

KeyVault should have (certificates length() > 0 or keys length() > 0 or secrets length() > 0)

2. Make sure that keys/certs/ are not about to expire

KeyVault should have keys with [ expires after (90, 'days') and enabled = true ]

Stay tuned for further updates!