Description
Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant cloud service that safeguards cryptographic keys using FIPS 140-2 Level 3 validated HSMs.
Note: This recommendation to use Managed HSM applies only to scenarios where specific regulatory and compliance requirements mandate the use of a dedicated hardware security module.
Rationaleβ
Managed HSM is a fully managed, highly available, single-tenant service that ensures FIPS 140-2 Level 3 compliance. It provides centralized key management, isolated access control, and private endpoints for secure access. Integrated with Azure services, it supports migration from Key Vault, ensures data residency, and offers monitoring and auditing for enhanced security.
Impactβ
Managed HSM incurs a cost of $0.40 to $5 per month for each actively used HSM-protected key, depending on the key type and quantity. Each key version is billed separately. Additionally, there is an hourly usage fee of $3.20 per Managed HSM pool.
Auditβ
From Azure CLIβ
Run the following command to list key vaults:
az keyvault list --query [*].[name,type]
Ensure that at least one key vault with type Microsoft.KeyVault/managedHSMs exists.
Referencesβ
- https://learn.microsoft.com/en-us/azure/security/fundamentals/key-management-choose
- https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/overview
- https://azure.microsoft.com/en-gb/pricing/details/key-vault/
- https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/quick-create-cli
- https://learn.microsoft.com/en-us/cli/azure/keyvault