π Azure Key Vault Managed HSM is not used whenever required π’
- Contextual name: π Key Vault Managed HSM is used π’
- ID:
/ce/ca/azure/key-vault/managed-hsm-is-used-when-required - Located in: π Azure Key Vault
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Descriptionβ
Descriptionβ
Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant cloud service that safeguards cryptographic keys using FIPS 140-2 Level 3 validated HSMs.
Note: This recommendation to use Managed HSM applies only to scenarios where specific regulatory and compliance requirements mandate the use of a dedicated hardware security module.
Rationaleβ
Managed HSM is a fully managed, highly available, single-tenant service that ensures FIPS 140-2 Level 3 compliance. It provides centralized key management, isolated access control, and private endpoints for secure access. Integrated with Azure services, it supports migration from Key Vault, ensures data residency, and offers monitoring and auditing for enhanced security.
Impactβ
Managed HSM incurs a cost of $0.40 to $5 per month for each actively used HSM-protected key, depending on the key type and quantity. Each key version is billed separately. Additionally, there is an hourly usage fee of $3.20 per Managed HSM pool.
Auditβ
From Azure CLIβ
... see more
Remediationβ
Remediationβ
From Azure CLIβ
Run the following command to set
oidto be theOIDof the signed-in user:$oid = az ad signed-in-user show --query id -o tsvAlternatively, prepare a space-separated list of OIDs to be provided as the
administratorsof the HSM.Run the following command to create a Managed HSM:
az keyvault create --resource-group <resource-group> --hsm-name <hsm-name> --retention-days <retention-days> --administrators $oidThe command can take several minutes to complete.
After the HSM has been created, it must be activated before it can be used. Activation requires providing a minimum of three and a maximum of ten RSA key pairs, as well as the minimum number of keys required to decrypt the security domain (called a quorum). OpenSSL can be used to generate the self-signed certificates, for example:
openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cerRun the following command to download the security domain and activate the Managed HSM:
az keyvault security-domain download --hsm-name <managed-hsm> --sd-wrapping-keys <key-1> <key-2> <key-3> --sd-quorum <quorum> --security-domain-file <managed-hsm-security-domain>.json
... [see more](remediation.md)
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 9.3.10 Ensure that Azure Key Vault Managed HSM is used when required (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 53 |