Microsoft.KeyVault.vaults.keys.delete
Event Information
- The Microsoft.KeyVault.vaults.keys.delete event in Azure for AzureSecurityService indicates that a key has been deleted from an Azure Key Vault.
- This event signifies that a specific key within a Key Vault has been permanently removed and cannot be recovered.
- It is important to monitor this event as it may indicate potential security breaches or unauthorized access to sensitive cryptographic keys.
Examples
-
Unauthorized deletion: If security is impacted with Microsoft.KeyVault.vaults.keys.delete in Azure for AzureSecurityService, it could mean that an unauthorized user or entity has gained access to the Azure Security Service and is able to delete keys from the Key Vault. This could lead to a potential compromise of sensitive data or resources protected by those keys.
-
Data loss or service disruption: Deleting keys from the Key Vault can result in data loss or service disruption if the keys are being used to encrypt or decrypt sensitive information or to authenticate and authorize access to resources. Without the necessary keys, applications or services relying on them may fail to function properly or lose access to critical data.
-
Compliance violations: Deleting keys from the Key Vault without proper authorization or documentation can lead to compliance violations. Organizations that are subject to regulatory requirements, such as GDPR or HIPAA, may be required to maintain certain levels of data protection and access controls. Unauthorized deletion of keys can result in non-compliance and potential legal consequences.
Remediation
Using Console
To remediate the issues related to Azure Security Service using the Azure console, you can follow these step-by-step instructions:
-
Enable Azure Security Center:
- Log in to the Azure portal.
- Search for “Security Center” in the search bar and select the Security Center service.
- Click on “Pricing & settings” in the left-hand menu.
- Select the subscription and resource group you want to enable Security Center for.
- Choose the pricing tier that suits your requirements (Free, Standard, or Standard - Trial).
- Click on “Apply” to save the changes.
-
Configure Security Policies:
- In the Azure Security Center, click on “Security policy” in the left-hand menu.
- Select the subscription and resource group you want to configure the policy for.
- Click on “Add policy” to create a new policy or select an existing policy to modify.
- Configure the policy settings according to your security requirements, such as enabling specific security recommendations, setting baseline rules, and defining compliance requirements.
- Click on “Save” to apply the policy.
-
Monitor and Remediate Security Alerts:
- In the Azure Security Center, click on “Security alerts” in the left-hand menu.
- Review the list of security alerts and prioritize them based on severity and impact.
- Click on an alert to view the details and recommended actions.
- Follow the recommended actions to remediate the security issue, such as applying a patch, updating configurations, or investigating suspicious activities.
- Once the remediation is complete, mark the alert as resolved or closed.
These steps will help you remediate Azure Security Service issues using the Azure console, enabling you to enhance the security posture of your Azure environment.
Using CLI
To remediate the Azure Security Service using Azure CLI, you can follow these steps:
-
Enable Azure Security Center Standard Tier:
- Use the Azure CLI command
az security pricing create --name "standard" --tier "Standard" --resource-group "your-resource-group" --subscription "your-subscription-id"to enable the Standard tier for Azure Security Center.
- Use the Azure CLI command
-
Enable Just-In-Time (JIT) VM Access:
- Use the Azure CLI command
az security jit-policy update --name "default" --resource-group "your-resource-group" --subscription "your-subscription-id" --enabled trueto enable JIT VM Access for your virtual machines.
- Use the Azure CLI command
-
Enable Network Security Group (NSG) Flow Logs:
- Use the Azure CLI command
az network watcher flow-log configure --enabled true --nsg "your-nsg-name" --resource-group "your-resource-group" --storage-account "your-storage-account-name" --subscription "your-subscription-id"to enable NSG Flow Logs for your Network Security Group.
- Use the Azure CLI command
Please replace the placeholders (“your-resource-group”, “your-subscription-id”, “your-nsg-name”, “your-storage-account-name”) with the actual values specific to your Azure environment.
Using Python
To remediate AzureSecurityService issues in Azure using Python, you can follow these steps:
- Enable Azure Security Center: Use the Azure SDK for Python to enable Azure Security Center for your Azure subscription. You can use the
azure-mgmt-securitypackage to manage security settings programmatically. Here’s an example script:
from azure.identity import DefaultAzureCredential
from azure.mgmt.security import SecurityCenter
# Authenticate using default credentials
credential = DefaultAzureCredential()
# Create a Security Center client
security_center_client = SecurityCenter(
credential=credential,
subscription_id="<your-subscription-id>"
)
# Enable Azure Security Center for your subscription
security_center_client.auto_provisioning_settings.create_or_update(
resource_group_name="<your-resource-group>",
auto_provisioning_setting_name="<your-setting-name>",
auto_provisioning_setting={
"auto_provision": "On"
}
)
- Configure Security Policies: Use the
azure-mgmt-securitypackage to configure security policies for Azure Security Center. You can define policies to enforce specific security controls and compliance standards. Here’s an example script:
from azure.identity import DefaultAzureCredential
from azure.mgmt.security import SecurityCenter
# Authenticate using default credentials
credential = DefaultAzureCredential()
# Create a Security Center client
security_center_client = SecurityCenter(
credential=credential,
subscription_id="<your-subscription-id>"
)
# Configure a security policy
security_center_client.policies.create_or_update(
resource_group_name="<your-resource-group>",
policy_name="<your-policy-name>",
policy={
"displayName": "My Security Policy",
"description": "This policy enforces security controls",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "audit",
"details": {
"type": "AuditIfNotExists",
"existenceCondition": {
"field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.ssh.publicKeys[].keyData",
"equals": ""
}
}
}
}
}
)
- Monitor Security Events: Use the
azure-mgmt-monitorpackage to monitor security events in Azure. You can retrieve security event logs and analyze them for potential security issues. Here’s an example script:
from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient
# Authenticate using default credentials
credential = DefaultAzureCredential()
# Create a Monitor client
monitor_client = MonitorManagementClient(
credential=credential,
subscription_id="<your-subscription-id>"
)
# Retrieve security event logs
security_event_logs = monitor_client.activity_logs.list(
filter="eventTimestamp ge 2022-01-01 and eventTimestamp le 2022-01-31 and category eq 'Security'"
)
# Process security event logs
for log in security_event_logs:
print(log.event_name.value, log.resource_id, log.event_timestamp)
Please note that you need to install the required Azure SDK packages (azure-mgmt-security and azure-mgmt-monitor) using pip before running these scripts.