Microsoft.keyvault.vaults.delete

​

Event Information

• The Microsoft.KeyVault.vaults.delete event in Azure for AzureSecurityService indicates that a Key Vault has been deleted in the Azure environment.
• This event signifies that the Key Vault and all its associated secrets, keys, and certificates have been permanently removed.
• It is important to monitor this event as it can help track any unauthorized or accidental deletion of Key Vaults, ensuring the security and integrity of sensitive data stored within the Key Vault.

​

Examples

1. Unauthorized deletion of a key vault: If security is impacted with Microsoft.KeyVault.vaults.delete in Azure for AzureSecurityService, it could potentially allow unauthorized individuals to delete a key vault. This could result in the loss of sensitive cryptographic keys and secrets stored within the vault, compromising the security of applications and data that rely on those keys.
2. Data breach due to deleted access policies: Deleting a key vault in Azure can also impact security by removing all access policies associated with the vault. This means that any users or applications that had previously been granted access to the vault will lose their permissions. If these access policies are not properly restored or reconfigured, it could lead to unauthorized access to sensitive data or services, resulting in a data breach.
3. Disruption of encryption services: Key vaults in Azure are often used to store cryptographic keys and secrets that are used for encryption purposes. If a key vault is deleted, any services or applications that rely on those keys for encryption will be disrupted. This could result in data being transmitted or stored without proper encryption, increasing the risk of data exposure or unauthorized access.

​

Remediation

​

Using Console

1. Enable Azure Security Center:
   • Log in to the Azure portal.
   • Search for “Security Center” in the search bar and select the Security Center service.
   • Click on “Pricing & settings” in the left-hand menu.
   • Select the subscription you want to enable Security Center for.
   • Choose the desired pricing tier (Free or Standard) and click “Apply”.
2. Configure Security Policies:
   • In the Azure Security Center, click on “Security policy” in the left-hand menu.
   • Click on “Add policy” to create a new policy or select an existing policy to modify.
   • Define the desired security controls and settings based on your compliance requirements.
   • Save the policy and assign it to the relevant Azure resources.
3. Monitor and Remediate Security Alerts:
   • In the Azure Security Center, click on “Security alerts” in the left-hand menu.
   • Review the list of security alerts and prioritize them based on severity.
   • Click on an alert to view the details and recommended actions for remediation.
   • Follow the provided guidance to mitigate the security issue and resolve the alert.

​

Using CLI

1. Enable Azure Security Center Standard Tier:
   • Use the Azure CLI command az security pricing create --name "standard" --tier "Standard" --resource-group "your-resource-group" --subscription "your-subscription-id" to enable the Standard tier for Azure Security Center.
   • Replace “your-resource-group” with the name of your resource group and “your-subscription-id” with your subscription ID.
2. Configure Just-In-Time (JIT) VM Access:
   • Use the Azure CLI command az vmss update --name "your-vmss-name" --resource-group "your-resource-group" --set virtualMachineProfile.extensionProfile.extensions[0].settings.JitEnabled=true to enable JIT VM access for a VM scale set.
   • Replace “your-vmss-name” with the name of your VM scale set and “your-resource-group” with the name of your resource group.
3. Enable Network Security Group (NSG) Flow Logs:
   • Use the Azure CLI command az network watcher flow-log configure --nsg "your-nsg-name" --resource-group "your-resource-group" --enabled true --storage-account "your-storage-account-name" --storage-path "your-storage-path" to enable NSG flow logs.
   • Replace “your-nsg-name” with the name of your NSG, “your-resource-group” with the name of your resource group, “your-storage-account-name” with the name of your storage account, and “your-storage-path” with the desired storage path for the logs.

​

Using Python

1. Enable Azure Security Center: Use the Azure SDK for Python to enable Azure Security Center for your Azure subscription. You can use the azure-mgmt-security package to manage security settings programmatically. Here’s an example script:

from azure.identity import DefaultAzureCredential
from azure.mgmt.security import SecurityCenter

# Authenticate using default credentials
credential = DefaultAzureCredential()

# Create a Security Center client
security_center_client = SecurityCenter(
    credential=credential,
    subscription_id="<your-subscription-id>"
)

# Enable Azure Security Center for your subscription
security_center_client.auto_provisioning_settings.create_or_update(
    resource_group_name="<your-resource-group>",
    auto_provisioning_setting_name="<your-setting-name>",
    auto_provisioning_setting={
        "auto_provision": "On"
    }
)

2. Configure Security Policies: Use the azure-mgmt-security package to configure security policies for Azure Security Center. You can define policies to enforce specific security controls and compliance standards. Here’s an example script:

from azure.identity import DefaultAzureCredential
from azure.mgmt.security import SecurityCenter

# Authenticate using default credentials
credential = DefaultAzureCredential()

# Create a Security Center client
security_center_client = SecurityCenter(
    credential=credential,
    subscription_id="<your-subscription-id>"
)

# Configure a security policy
security_center_client.policies.create_or_update(
    resource_group_name="<your-resource-group>",
    policy_name="<your-policy-name>",
    policy={
        "displayName": "My Security Policy",
        "description": "This policy enforces security controls",
        "policyRule": {
            "if": {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
            },
            "then": {
                "effect": "audit",
                "details": {
                    "type": "AuditIfNotExists",
                    "existenceCondition": {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.ssh.publicKeys[].keyData",
                        "equals": ""
                    }
                }
            }
        }
    }
)

3. Monitor Security Events: Use the azure-mgmt-monitor package to monitor security events in Azure. You can retrieve security event logs and analyze them for potential security issues. Here’s an example script:

from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient

# Authenticate using default credentials
credential = DefaultAzureCredential()

# Create a Monitor client
monitor_client = MonitorManagementClient(
    credential=credential,
    subscription_id="<your-subscription-id>"
)

# Retrieve security event logs
security_event_logs = monitor_client.activity_logs.list(
    filter="eventTimestamp ge 2022-01-01 and eventTimestamp le 2022-01-31 and category eq 'Security'"
)

# Process security event logs
for log in security_event_logs:
    print(log.event_name.value, log.resource_id, log.event_timestamp)