Microsoft.KeyVault.vaults.delete
Event Information
- The Microsoft.KeyVault.vaults.delete event in Azure for AzureSecurityService indicates that a Key Vault has been deleted in the Azure environment.
- This event signifies that the Key Vault and all its associated secrets, keys, and certificates have been permanently removed.
- It is important to monitor this event as it can help track any unauthorized or accidental deletion of Key Vaults, ensuring the security and integrity of sensitive data stored within the Key Vault.
Examples
-
Unauthorized deletion of a key vault: If security is impacted with Microsoft.KeyVault.vaults.delete in Azure for AzureSecurityService, it could potentially allow unauthorized individuals to delete a key vault. This could result in the loss of sensitive cryptographic keys and secrets stored within the vault, compromising the security of applications and data that rely on those keys.
-
Data breach due to deleted access policies: Deleting a key vault in Azure can also impact security by removing all access policies associated with the vault. This means that any users or applications that had previously been granted access to the vault will lose their permissions. If these access policies are not properly restored or reconfigured, it could lead to unauthorized access to sensitive data or services, resulting in a data breach.
-
Disruption of encryption services: Key vaults in Azure are often used to store cryptographic keys and secrets that are used for encryption purposes. If a key vault is deleted, any services or applications that rely on those keys for encryption will be disrupted. This could result in data being transmitted or stored without proper encryption, increasing the risk of data exposure or unauthorized access.
Remediation
Using Console
To remediate the AzureSecurityService issue using the Azure console, you can follow these step-by-step instructions:
-
Enable Azure Security Center:
- Log in to the Azure portal.
- Search for “Security Center” in the search bar and select the Security Center service.
- Click on “Pricing & settings” in the left-hand menu.
- Select the subscription you want to enable Security Center for.
- Choose the desired pricing tier (Free or Standard) and click “Apply”.
-
Configure Security Policies:
- In the Azure Security Center, click on “Security policy” in the left-hand menu.
- Click on “Add policy” to create a new policy or select an existing policy to modify.
- Define the desired security controls and settings based on your compliance requirements.
- Save the policy and assign it to the relevant Azure resources.
-
Monitor and Remediate Security Alerts:
- In the Azure Security Center, click on “Security alerts” in the left-hand menu.
- Review the list of security alerts and prioritize them based on severity.
- Click on an alert to view the details and recommended actions for remediation.
- Follow the provided guidance to mitigate the security issue and resolve the alert.
Note: The specific steps may vary slightly depending on the Azure portal version and interface changes. Always refer to the official Azure documentation for the most up-to-date instructions.
Using CLI
To remediate the Azure Security Service using Azure CLI, you can follow these steps:
-
Enable Azure Security Center Standard Tier:
- Use the Azure CLI command
az security pricing create --name "standard" --tier "Standard" --resource-group "your-resource-group" --subscription "your-subscription-id"to enable the Standard tier for Azure Security Center. - Replace “your-resource-group” with the name of your resource group and “your-subscription-id” with your subscription ID.
- Use the Azure CLI command
-
Configure Just-In-Time (JIT) VM Access:
- Use the Azure CLI command
az vmss update --name "your-vmss-name" --resource-group "your-resource-group" --set virtualMachineProfile.extensionProfile.extensions[0].settings.JitEnabled=trueto enable JIT VM access for a VM scale set. - Replace “your-vmss-name” with the name of your VM scale set and “your-resource-group” with the name of your resource group.
- Use the Azure CLI command
-
Enable Network Security Group (NSG) Flow Logs:
- Use the Azure CLI command
az network watcher flow-log configure --nsg "your-nsg-name" --resource-group "your-resource-group" --enabled true --storage-account "your-storage-account-name" --storage-path "your-storage-path"to enable NSG flow logs. - Replace “your-nsg-name” with the name of your NSG, “your-resource-group” with the name of your resource group, “your-storage-account-name” with the name of your storage account, and “your-storage-path” with the desired storage path for the logs.
- Use the Azure CLI command
Please note that you need to have the Azure CLI installed and authenticated with the appropriate permissions to execute these commands.
Using Python
To remediate AzureSecurityService issues in Azure using Python, you can follow these steps:
- Enable Azure Security Center: Use the Azure SDK for Python to enable Azure Security Center for your Azure subscription. You can use the
azure-mgmt-securitypackage to manage security settings programmatically. Here’s an example script:
from azure.identity import DefaultAzureCredential
from azure.mgmt.security import SecurityCenter
# Authenticate using default credentials
credential = DefaultAzureCredential()
# Create a Security Center client
security_center_client = SecurityCenter(
credential=credential,
subscription_id="<your-subscription-id>"
)
# Enable Azure Security Center for your subscription
security_center_client.auto_provisioning_settings.create_or_update(
resource_group_name="<your-resource-group>",
auto_provisioning_setting_name="<your-setting-name>",
auto_provisioning_setting={
"auto_provision": "On"
}
)
- Configure Security Policies: Use the
azure-mgmt-securitypackage to configure security policies for Azure Security Center. You can define policies to enforce specific security controls and compliance standards. Here’s an example script:
from azure.identity import DefaultAzureCredential
from azure.mgmt.security import SecurityCenter
# Authenticate using default credentials
credential = DefaultAzureCredential()
# Create a Security Center client
security_center_client = SecurityCenter(
credential=credential,
subscription_id="<your-subscription-id>"
)
# Configure a security policy
security_center_client.policies.create_or_update(
resource_group_name="<your-resource-group>",
policy_name="<your-policy-name>",
policy={
"displayName": "My Security Policy",
"description": "This policy enforces security controls",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "audit",
"details": {
"type": "AuditIfNotExists",
"existenceCondition": {
"field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.ssh.publicKeys[].keyData",
"equals": ""
}
}
}
}
}
)
- Monitor Security Events: Use the
azure-mgmt-monitorpackage to monitor security events in Azure. You can retrieve security event logs and analyze them for potential security issues. Here’s an example script:
from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient
# Authenticate using default credentials
credential = DefaultAzureCredential()
# Create a Monitor client
monitor_client = MonitorManagementClient(
credential=credential,
subscription_id="<your-subscription-id>"
)
# Retrieve security event logs
security_event_logs = monitor_client.activity_logs.list(
filter="eventTimestamp ge 2022-01-01 and eventTimestamp le 2022-01-31 and category eq 'Security'"
)
# Process security event logs
for log in security_event_logs:
print(log.event_name.value, log.resource_id, log.event_timestamp)
Please note that you need to install the required Azure SDK packages (azure-mgmt-security and azure-mgmt-monitor) before running these scripts.