Risk Level: High
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.CRY.01
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

KeyVault should have (certificates length() > 0 or keys length() > 0 or secrets length() > 0)

REMEDIATION

From Portal

Go to 'Key vaults' and choose your Key Vault
Select 'Keys/Secrets/Certificates' under 'Settings' in the navigation menu
Select 'Generate/Import' and complete the wizard

Note: Generating / importing keys, secrets, and certificates requires additional configurations, please check the documentation below for further instructions on how to generate / import them using TF / Azure CLI.

References

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn’t see or extract your keys. Monitor and audit your key use with Azure logging—pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threat detection.

Compliance Frameworks

AZU PCI-DSS 4.0
Azure CIS Foundations v. 1.3.1
Azure CIS Foundations v. 1.4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CSA CCM v.3.0.1
Azure CSA CCM v.4.0.1
Azure CloudGuard Best Practices
Azure HIPAA
Azure HITRUST v9.5.0
Azure ITSG-33
Azure NIST 800-171
Azure NIST 800-53 Rev 4
Azure NIST 800-53 Rev 5
Azure NIST CSF v1.1
Azure New Zealand Information Security Manual (NZISM) v.3.4
CloudGuard Azure All Rules Ruleset