Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides guidance for protecting secrets and reducing the risk of unauthorized access. Follow this guidance to help ensure that you do not store sensitive information, such as credentials, in code, GitHub repositories, logs, or continuous integration/continuous deployment (CI/CD) pipelines. The guidance in this article comes from individual service recommendations and the Microsoft Cloud Security Benchmark (MCSB).
This article aligns with Microsoft's Zero Trust security model, which requires explicit verification, least-privilege access, and the assumption of breach. For prescriptive security controls that include Azure Policy enforcement, see Microsoft Cloud Security Benchmark v2: Privileged Access and MCSB v2: Data Protection.
Secret discovery and prevention
Before you can secure your secrets, you need visibility into where they exist. You also need controls that prevent exposure before it occurs.
Conduct an audit to identify secrets: Audit your systems and applications to identify sensitive information that needs protection, such as passwords, API keys, connection strings, and other credentials. Regular audits help ensure that new secrets are accounted for and that existing secrets are properly managed. Safeguard dynamically created secrets, such as temporary OAuth tokens, with the same rigor as long-term secrets.
Avoid hardcoding secrets: Embedding secrets directly into code or configuration files creates a significant security risk. If your codebase is compromised, your secrets are also compromised. Instead, use environment variables or configuration management tools that keep secrets out of source code. This practice minimizes the risk of accidental exposure and simplifies secret updates. Integrate secret retrieval into your automated deployment pipeline, and use secret injection patterns to help prevent accidental exposure in logs or version control. For more information, see Recommendations for protecting application secrets.
Implement secret scanning tools: Regularly scan your codebase for embedded secrets to help prevent accidental exposure. Tools such as Azure DevOps Credential Scanner and GitHub secret scanning can automatically detect and alert you to secrets in repositories. Integrate these tools into your CI/CD pipeline for continuous monitoring. Treat any secret found by scanning tools as compromised. Immediately revoke and replace it to maintain the integrity of your security posture.
Secure storage and encryption
Protecting secrets requires secure storage mechanisms and proper encryption at all stages.
Use secure key stores: Services such as Azure Key Vault and Azure Key Vault Managed HSM provide robust security features, including access control, logging, and automatic rotation. This approach centralizes secret management and reduces the risk of unauthorized access. For highly sensitive or critical secrets, use a hardware security module (HSM)-backed key store for enhanced protection compared to software-based secret stores. For customer-managed key scenarios, use the Azure Key Vault Premium tier, which is HSM-backed, at minimum. Use Azure Key Vault Managed HSM for key sovereignty requirements. For an overview of Azure key management offerings and guidance on which to choose, see Key management in Azure and How to choose the right key management solution.
Encrypt secrets at rest and in transit: Azure Key Vault securely stores secrets through envelope encryption, where data encryption keys are encrypted by key encryption keys to provide another layer of security. Use secure communication protocols such as HTTPS to encrypt data in transit between your applications and the key vault. In Azure, encryption at rest is implemented across various services by using AES 256 encryption. Data in transit is secured through TLS and MACsec. For more information, see Encryption at rest and in transit.
Implement network isolation: Configure firewalls and network security groups to restrict access to your key vaults. Allow only trusted applications and services to access your secrets. This approach minimizes the attack surface and helps prevent unauthorized access. Consider using multiple key vaults to create isolation boundaries for different components. If one component is compromised, the component cannot gain control of other secrets or the entire workload.
Access control and identity
Managing who and what can access secrets is critical for maintaining security.
Use managed identities: Managed identities in Azure provide a secure way for applications to authenticate to Azure services without storing credentials in code. Enable managed identities for Azure resources to securely access Azure Key Vault and other services, reducing the need to handle secrets manually. This approach minimizes secret creation and reduces the surface area for potential breaches because the platform manages the credentials.
Apply granular access control: Follow the principle of least privilege by applying granular access control to your secrets. Use Azure role-based access control (Azure RBAC) to ensure that only authorized entities have access to specific secrets. Regularly review and update access permissions to prevent unauthorized access. Implement distinct roles such as user, administrator, and auditor to manage access to secrets. This practice helps ensure that only trusted identities have the appropriate level of permission. For more information, see the Azure Key Vault RBAC guide.
Secret lifecycle management
Secrets require ongoing management throughout their lifecycle, from creation to retirement.
Rotate secrets regularly: Secrets are susceptible to leakage or exposure over time. Regularly rotate your secrets to reduce the risk of unauthorized access. You can rotate secrets in Azure Key Vault for certain secrets. For secrets that cannot be automatically rotated, establish a manual rotation process and ensure that they are purged when they are no longer in use. Automate secret rotation and build redundancy into your secret management to help ensure that rotation does not disrupt service availability. Implement retry logic and concurrent access patterns in your code to help minimize issues during the rotation window.
Distribute secrets safely: When you distribute secrets, share them securely within and outside the organization. Use tools designed for secure sharing, and include secret recovery procedures in your disaster recovery plans. If a key is compromised or leaked, regenerate it immediately. Use distinct keys for each consumer rather than sharing keys, even if consumers have similar access patterns. This practice simplifies key management and revocation, ensuring that compromised keys can be revoked without affecting other consumers.
Monitoring and logging
Continuous monitoring enables detection of suspicious activity and supports compliance requirements.
- Monitor and log access: Enable logging and monitoring for your secret management system to track access and usage. Use Key Vault logging, Azure Monitor, or Azure Event Grid to monitor all activities related to your secrets. Monitoring provides visibility into who accessed your secrets and helps detect suspicious behavior or potential security incidents. Maintain detailed audit trails for inspecting and validating access to secrets, which can help prevent identity theft, avoid repudiation, and reduce unnecessary exposure.
Service-specific guidance for secrets handling
Individual services may have additional best practices and guidance for protecting secrets. Here are some examples:
- API Management: Use named values in Azure API Management policies with Key Vault integration.
- App Service: Use Key Vault references for App Service and Azure Functions.
- Application Gateway: Configure TLS termination for Application Gateway by using the Azure portal.
- Automation: Manage credentials in Azure Automation.
- Azure AI Foundry: Develop Foundry Tools applications with Azure Key Vault.
- Azure App Configuration: Use Key Vault references in an ASP.NET Core app.
- Azure Bot Service: Azure Bot Service encryption for data at rest.
- Azure Center for SAP solutions: Prepare the network for Azure Center for SAP solutions deployment.
- Azure Communication Services: Create and manage access tokens.
- Azure Communications Gateway: Create and store secrets.
- Azure Container Apps: Manage secrets in Azure Container Apps.
- Azure Cosmos DB: Configure customer-managed keys for Azure Cosmos DB.
- Azure Database for PostgreSQL - Flexible Server: Data encryption with a customer-managed key.
- Azure Databricks: Key Vault integration in Azure Databricks.
- Azure DevTest Labs: Enable user-assigned managed identities on lab virtual machines in Azure DevTest Labs.
- Azure Event Hubs: Configure customer-managed keys for encrypting Azure Event Hubs data at rest.
- Azure Front Door: Azure Front Door secrets.
- Azure HDInsight on AKS: Create Azure Key Vault resource prerequisites.
- Azure Information Protection: Key Vault support for Azure Information Protection.
- Azure Kubernetes Service (AKS): CSI Secret Store.
- Azure Machine Learning: Use authentication credential secrets in Azure Machine Learning jobs.
- Azure Managed Applications: Access Key Vault secrets when deploying Azure Managed Applications.
- Azure Pipelines: Protect secrets in Azure Pipelines.
- Azure Service Bus: Integrate Service Bus with Service Connector.
- Azure SignalR Service: Key Vault secret reference in URL template settings.
- Azure Spring Apps: Integrate Azure Key Vault with Service Connector.
- Azure Stack Edge: Manage Azure Stack Edge secrets by using Azure Key Vault.
- Azure Stack Hub: Rotate secrets.
- Azure Web PubSub: Add a custom certificate.
- Backup: Configure a vault to encrypt by using customer-managed keys.
- Data Factory: Store credentials in Azure Key Vault.
- ExpressRoute: Configure MACsec encryption for ExpressRoute Direct.
- Functions: Use Key Vault references for App Service and Azure Functions.
- Key Vault: About Azure Key Vault secrets.
- Logic Apps: Logic Apps Standard app settings.
- Microsoft Purview: Credentials for source authentication in Microsoft Purview.
- Service Fabric: KeyVaultReference support for Service Fabric applications.
- SQL Server on Azure VMs: Configure Azure Key Vault integration for SQL Server on Azure VMs.
- Storage: Authorize access to data in Azure Storage.
Next steps
Minimizing security risk is a shared responsibility. Proactively take steps to secure your workloads. For more information, see Shared responsibility in the cloud.
- See Azure security best practices and patterns for more security best practices to use when you are designing, deploying, and managing your cloud solutions by using Azure.
- Review the Microsoft Cloud Security Benchmark v2: Privileged Access controls for comprehensive secrets and privileged access guidance and Azure Policy mappings.
- Learn about the Microsoft Secure Future Initiative, Microsoft's internal security best practices for protecting identities and secrets that Microsoft also recommends to customers.
- Explore Zero Trust deployment for identity for guidance on implementing Zero Trust principles for identity and access management.