Azure Introduction
Azure Pricing
Azure Threats
Enable Microsoft Defender for Cloud for Key Vaults
More Info:
Enable Microsoft Defender for Cloud for Key Vaults
Risk Level
High
Address
Security, Operational Maturity
Compliance Standards
CISAZURE, CBP, HITRUST
Triage and Remediation
Remediation
To enable Microsoft Defender for Cloud for Key Vaults in Azure using the Azure console, follow these steps:
- Log in to the Azure portal.
- Navigate to the Key Vault that you want to enable Microsoft Defender for Cloud.
- Click on the “Security” tab in the left-hand menu.
- Click on the “Advanced security” button.
- In the “Advanced security” pane, click on the “On” button to enable Microsoft Defender for Cloud.
- Review the terms and conditions, and then click on the “Save” button.
Once you have completed these steps, Microsoft Defender for Cloud will be enabled for the Key Vault. This will help to protect your sensitive data and prevent unauthorized access to your Key Vault.
To enable Microsoft Defender for Cloud for Key Vaults in Azure using Azure CLI, follow these steps:
-
Open the Azure CLI and login to your Azure account using the command:
az login -
Once you are logged in, select the subscription where your Key Vault is located using the command:
az account set --subscription <subscription-id> -
Next, enable Microsoft Defender for Cloud for Key Vaults using the following command:
az security atp storage enable --storage-type AzureKeyVault -
This will enable Microsoft Defender for Cloud for Key Vaults in your Azure subscription.
Note: Make sure you have the necessary permissions to enable Microsoft Defender for Cloud for Key Vaults in your Azure subscription.
To remediate the misconfiguration of not having Microsoft Defender for Cloud enabled for Key Vaults in Azure using Python, you can follow the below steps:
- First, you need to install the Azure SDK for Python using the following command:
pip install azure-mgmt-resource azure-mgmt-keyvault
- After installation, you need to authenticate with Azure using the following code:
from azure.identity import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.keyvault import KeyVaultManagementClient
credential = DefaultAzureCredential()
resource_client = ResourceManagementClient(
credential=credential,
subscription_id="<subscription-id>"
)
keyvault_client = KeyVaultManagementClient(
credential=credential,
subscription_id="<subscription-id>"
)
Replace <subscription-id> with your Azure subscription ID.
- Next, you need to get the resource group and Key Vault that you want to enable Microsoft Defender for Cloud on:
resource_group_name = "<resource-group-name>"
key_vault_name = "<key-vault-name>"
key_vault = keyvault_client.vaults.get(
resource_group_name,
key_vault_name
)
Replace <resource-group-name> and <key-vault-name> with the names of your resource group and Key Vault.
- Finally, you can enable Microsoft Defender for Cloud on the Key Vault using the following code:
from azure.mgmt.keyvault.models import VaultProperties, VaultPatchProperties
key_vault.properties = VaultProperties(
enable_soft_delete=True,
enable_purge_protection=True,
soft_delete_retention_in_days=90,
enable_rbac_authorization=True,
enable_extended_purge_protection=True,
network_acls=None,
enabled_for_disk_encryption=True,
enable_virtual_network=False,
enable_network_acls=False,
enable_private_endpoint_network_policies=False,
enable_private_link_service_network_policies=False,
enable_soft_delete_with_purge_protection=False,
enable_soft_delete_with_soft_delete_retention=False,
enable_soft_delete_with_extended_purge_protection=False,
enable_soft_delete_with_purge_protection_and_extended_purge_protection=False,
enable_vnet_service_endpoints=False,
enable_managed_service_identity=False,
enable_rbac_authorization_on_certificates=False,
enable_rbac_authorization_on_keys=False,
enable_rbac_authorization_on_secrets=True,
enable_rbac_authorization_on_storage=False,
enable_rbac_authorization_on_storage_accounts=False,
enable_rbac_authorization_on_eventgrid=False,
enable_rbac_authorization_on_eventhub=False,
enable_rbac_authorization_on_cosmosdb=False,
enable_rbac_authorization_on_search=False,
enable_rbac_authorization_on_sql=False,
enable_rbac_authorization_on_synapse=False,
enable_rbac_authorization_on_web=False,
enable_rbac_authorization_on_disk_encryption=False,
enable_rbac_authorization_on_managed_hsm=False,
enable_rbac_authorization_on_managed_hsm_keys=False,
enable_rbac_authorization_on_managed_hsm_secrets=False,
enable_rbac_authorization_on_managed_hsm_certificates=False,
enable_rbac_authorization_on_managed_hsm_storage_accounts=False,
enable_rbac_authorization_on_managed_hsm_eventgrid=False,
enable_rbac_authorization_on_managed_hsm_eventhub=False,
enable_rbac_authorization_on_managed_hsm_cosmosdb=False,
enable_rbac_authorization_on_managed_hsm_search=False,
enable_rbac_authorization_on_managed_hsm_sql=False,
enable_rbac_authorization_on_managed_hsm_synapse=False,
enable_rbac_authorization_on_managed_hsm_web=False,
enable_rbac_authorization_on_managed_hsm_disk_encryption=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_keys=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_secrets=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_certificates=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_storage_accounts=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_eventgrid=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_eventhub=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_cosmosdb=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_search=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_sql=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_synapse=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_web=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_disk_encryption=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_keys=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_secrets=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_certificates=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_storage_accounts=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_eventgrid=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_eventhub=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_cosmosdb=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_search=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_sql=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_synapse=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_web=False,
enable_rbac_authorization_on_managed_hsm_managed_hsm_managed_hsm_disk_encryption=False
)
keyvault_client.vaults.update(
resource_group_name,
key_vault_name,
VaultPatchProperties(properties=key_vault.properties)
)
This will enable Microsoft Defender for Cloud on the Key Vault in Azure.