Az - Key Vault

Basic Information

From the docs: Azure Key Vault ni huduma ya wingu kwa kuhifadhi na kufikia siri kwa usalama. Siri ni chochote ambacho unataka kudhibiti kwa karibu ufikiaji wake, kama funguo za API, nywila, vyeti, au funguo za kificho. Huduma ya Key Vault inasaidia aina mbili za vyombo: vaults na pools za usalama wa vifaa vilivyodhibitiwa (HSM). Vaults zinasaidia kuhifadhi funguo za programu na funguo za HSM. Pools za HSM zinazodhibitiwa zinasaidia tu funguo za HSM. Tazama Muhtasari wa Azure Key Vault REST API kwa maelezo kamili.

Muundo wa URL ni https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version} Ambapo:

• vault-name ni jina la kipekee la kimataifa la vault ya funguo

• object-type inaweza kuwa "funguo", "siri" au "vyeti"

• object-name ni jina la kipekee la kitu ndani ya vault ya funguo

• object-version inatengenezwa na mfumo na inaweza kutumika kwa hiari kuashiria toleo la kipekee la kitu.

Ili kufikia siri zilizohifadhiwa katika vault, mifano miwili ya ruhusa inaweza kutumika:

• Sera ya ufikiaji wa Vault

• Azure RBAC

Access Control

Ufikiaji wa rasilimali ya Key Vault unadhibitiwa na ndege mbili:

• ndege ya usimamizi, ambayo lengo lake ni management.azure.com.

• Inatumika kusimamia vault ya funguo na sera za ufikiaji. Ni Azure role based access control (RBAC) pekee inayoungwa mkono.

• ndege ya data, ambayo lengo lake ni <vault-name>.vault.azure.com.

• Inatumika kusimamia na kufikia data (funguo, siri na vyeti) katika vault ya funguo. Hii inasaidia sera za ufikiaji wa vault au Azure RBAC.

Jukumu kama Mchangiaji ambalo lina ruhusa katika eneo la usimamizi kusimamia sera za ufikiaji linaweza kupata ufikiaji wa siri kwa kubadilisha sera za ufikiaji.

Key Vault RBAC Built-In Roles

Network Access

Katika Azure Key Vault, sheria za moto zinaweza kuwekwa ili kuruhusu operesheni za ndege ya data tu kutoka mitandao halisi au anwani za IPv4 zilizotajwa. Kikomo hiki pia kinaathiri ufikiaji kupitia lango la usimamizi la Azure; watumiaji hawataweza kuorodhesha funguo, siri, au vyeti katika vault ya funguo ikiwa anwani yao ya IP ya kuingia haiko ndani ya anuwai iliyoidhinishwa.

Kwa kuchambua na kusimamia mipangilio hii, unaweza kutumia Azure CLI:

az keyvault show --name name-vault --query networkAcls

The previous command will display the firewall settings of name-vault, including enabled IP ranges and policies for denied traffic.

Enumeration

# Get keyvault token
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER

# Connect with PS AzureAD
## $token from management API
Connect-AzAccount -AccessToken $token -AccountId 1937ea5938eb-10eb-a365-10abede52387 -KeyVaultAccessToken $keyvaulttoken

# List vaults
Get-AzKeyVault
# Get secrets names from the vault
Get-AzKeyVaultSecret -VaultName <vault_name>
# Get secret values
Get-AzKeyVaultSecret -VaultName <vault_name> -Name <secret_name> –AsPlainText

#!/bin/bash

# Dump all keyvaults from the subscription

# Define Azure subscription ID
AZ_SUBSCRIPTION_ID="your-subscription-id"

# Specify the filename for output
CSV_OUTPUT="vault-names-list.csv"

# Login to Azure account
az login

# Select the desired subscription
az account set --subscription $AZ_SUBSCRIPTION_ID

# Retrieve all resource groups within the subscription
AZ_RESOURCE_GROUPS=$(az group list --query "[].name" -o tsv)

# Initialize the CSV file with headers
echo "Vault Name,Associated Resource Group" > $CSV_OUTPUT

# Iterate over each resource group
for GROUP in $AZ_RESOURCE_GROUPS
do
# Fetch key vaults within the current resource group
VAULT_LIST=$(az keyvault list --resource-group $GROUP --query "[].name" -o tsv)

# Process each key vault
for VAULT in $VAULT_LIST
do
# Extract the key vault's name
VAULT_NAME=$(az keyvault show --name $VAULT --resource-group $GROUP --query "name" -o tsv)

# Append the key vault name and its resource group to the file
echo "$VAULT_NAME,$GROUP" >> $CSV_OUTPUT
done
done