Ensure Azure Key Vaults are Used to Store Secrets

Azure Key Vault should be used to securely store and control your secrets (keys, certificates, tokens, etc) within the Microsoft Azure environment. Secrets in Azure Key Vault are octet sequences with a maximum size of 25k bytes each.

Risk Level: High
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.CRY.01
Covered by Spectral: No
Category: Security, Identity, & Compliance


KeyVault should have (certificates length() > 0 or keys length() > 0 or secrets length() > 0)


From Portal

  1. Go to 'Key vaults' and choose your Key Vault
  2. Select 'Keys/Secrets/Certificates' under 'Settings' in the navigation menu
  3. Select 'Generate/Import' and complete the wizard

Note: Generating / importing keys, secrets, and certificates requires additional configurations, please check the documentation below for further instructions on how to generate / import them using TF / Azure CLI.


  1. https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest
  2. https://docs.microsoft.com/en-us/azure/key-vault/keys/quick-create-portal
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key
  4. https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal
  5. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret
  6. https://docs.microsoft.com/en-us/azure/key-vault/certificates/quick-create-portal
  7. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_certificate

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn���t see or extract your keys. Monitor and audit your key use with Azure logging���pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threa

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.3.0.1
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HIPAA
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-171
  • Azure NIST 800-53 Rev 4
  • Azure NIST 800-53 Rev 5
  • Azure NIST CSF v1.1
  • Azure New Zealand Information Security Manual (NZISM) v.3.4
  • CloudGuard Azure All Rules Ruleset