Implement Azure Security Cheatsheet

By Saeed Salehi

3 min read

Authors

Part of series

Developing Solutions for Microsoft Azure (AZ-204) certification exam Cheatsheets

  1. Part 1:

    Introduction to (AZ-204) certification exam Cheatsheets

  2. Part 2:

    Implement IaaS in Azure Cheatsheets

  3. Part 3:

    Azure Functions Cheatsheets

  4. Part 4:

    Azure App Service Cheatsheets

  5. Part 5:

    Develop solutions that use Blob storage Cheatsheets

  6. Part 6:

    Develop solutions that use Azure Cosmos DB Cheatsheets

  7. Part 7:

    Implement Azure Security Cheatsheet

  8. Part 8:

    Microsoft Identity platform Cheatsheet

  9. Part 9:

    Monitoring And logging in Azure Cheatsheets

  10. Part 10:

    Azure Cache for Redis Cheatsheets

  11. Part 11:

    Develop message-based solutions Cheatsheets

  12. Part 12:

    Develop event-based solutions Cheatsheets

  13. Part 13:

    API Management in Azure Cheatsheets

Azure Key Vault

Supports vaults and managed hardware security module(HSM) pools

service tiers:

  • Standard: encrypts with a software key
  • Premium: hardware security module(HSM)-protected keys

Authentication

To do any operations with Key Vault, you first need to authenticate to it

  • Managed identities for Azure resources
  • Service principal and certificate
  • Service principal and secret

Create a key vault

az keyvault create --name $myKeyVault --resource-group az204-vault-rg --location $myLocation

Create a secret

az keyvault secret set --vault-name $myKeyVault --name "ExamplePassword" --value "hVFkk965BuUv"

retrieve the secret

az keyvault secret show --name "ExamplePassword" --vault-name $myKeyVault

Managed identities

Types of managed identities:

  • system-assigned managed identity
  • user-assigned managed identity (independent lifecycle than a Azure resource)

Create System-assigned managed identity

during creation of an resources by specifying these parameters:

 --assign-identity \
    --role contributor \
    --scope mySubscription \

system-assigned identity to an existing virtual machine:

az vm identity assign -g myResourceGroup -n myVm

Create User-assigned managed identity

create identity az identity create -g myResourceGroup -n myUserAssignedIdentity

assign to a resource by specifying these parameters:

--assign-identity <USER ASSIGNED IDENTITY NAME> \
--role <ROLE> \
--scope <SUBSCRIPTION>

or to an existing resource:

az vm identity assign \
    -g <RESOURCE GROUP> \
    -n <VM NAME> \
    --identities <USER ASSIGNED IDENTITY>

Azure App Configuration

Azure App Configuration encrypts sensitive information at rest using a 256-bit AES encryption key provided by Microsoft.

*, ,, and \. These characters are reserved

Key values in App Configuration can optionally have a label attribute

Version key values

App Configuration doesn't version key values automatically as they're modified. Use labels as a way to create multiple versions of a key value.

Query key values

Each key value is uniquely identified by its key plus a label that can be null

Values

Values assigned to keys are also unicode strings.

Manage application features

  • Feature flag: A feature flag is a variable with a binary state of on or off
  • Feature manager: A feature manager is an application package that handles the lifecycle of all the feature flags in an application
  • Filter: A filter is a rule for evaluating the state of a feature flag.

Secure app configuration data

Encrypt configuration data by using customer-managed keys

Requirements:

  • Standard tier Azure App Configuration instance
  • Azure Key Vault with soft-delete and purge-protection features enabled
  • An RSA or RSA-HSM key within the Key Vault: The key must not be expired, it must be enabled, and it must have both wrap and unwrap capabilities enabled

Allow Azure App Configuration to use the Key Vault key:

  1. Assign a managed identity to the Azure App Configuration instance
  2. Grant the identity GET, WRAP, and UNWRAP permissions in the target Key Vault's access policy.

Use private endpoints for Azure App Configuration

Allow clients on a virtual network (VNet) to securely access data over a private link.

Managed identities

A managed identity from Azure Active Directory (AAD) allows Azure App Configuration to easily access other AAD-protected resources, such as Azure Key Vault.

The identity is managed by the Azure platform. It does not require you to provision or rotate any secrets.

Add a system-assigned identity

az appconfig identity assign

Assign the new user-assigned identity to the myTestAppConfigStore configuration store:

az appconfig identity assign --name myTestAppConfigStore \
    --resource-group myResourceGroup \
    --identities /subscriptions/[subscription id]/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUserAssignedIdentity

Upcoming events

  • Drupal CMS Launch Party

    Zoals sommigen misschien weten wordt op 15 Januari een nieuwe distributie van Drupal gelanceerd. Namelijk Drupal CMS (ook wel bekend als Starshot). Om dit te vieren gaan we op onze campus een klein eventje organiseren. We gaan die dag samen de livestream volgen waarbij het product gelanceerd wordt. De agenda is als volgt: 17u – 18u30: Drupal CMS livestream met taart 18u30 – 19u00: Versteld staan van de functionaliteiten 19u – 20u: Pizza eten en verder versteld staan van de functionaliteiten Laat ons zeker weten of je komt of niet door de invite te accepteren! Tot dan!

    | Coven of Wisdom Herentals

    Go to page for Drupal CMS Launch Party

  • Coven of Wisdom - Herentals - Winter `24 edition

    Worstelen jij en je team met het bouwen van schaalbare digitale ecosystemen of zit je vast in een props hell met React of in een ander framework? Kom naar onze meetup waar ervaren sprekers hun inzichten en ervaringen delen over het bouwen van robuuste en flexibele applicaties. Schrijf je in voor een avond vol kennis, heerlijk eten en een mix van creativiteit en technologie! 🚀 18:00 – 🚪 Deuren open 18:15 – 🍕 Food & drinks 19:00 – 📢 Building a Mature Digital Ecosystem - Maarten Heip 20:00 – 🍹 Kleine pauze 20:15 – 📢 Compound Components: A Better Way to Build React Components - Sead Memic 21:00 – 🙋‍♀️ Drinks 22:00 – 🍻 Tot de volgende keer? Tijdens deze meetup gaan we dieper in op het bouwen van digitale ecosystemen en het creëren van herbruikbare React componenten. Maarten deelt zijn expertise over het ontwikkelen van een volwassen digitale infrastructuur, terwijl Sead je laat zien hoe je 'From Props Hell to Component Heaven' kunt gaan door het gebruik van Compound Components. Ze delen praktische inzichten die je direct kunt toepassen in je eigen projecten. 📍 Waar? Je vindt ons bij iO Herentals - Zavelheide 15, Herentals. Volg bij aankomst de borden 'meetup' vanaf de receptie. 🎫 Schrijf je in! De plaatsen zijn beperkt, dus RSVP is noodzakelijk. Dit helpt ons ook om de juiste hoeveelheid eten en drinken te voorzien - we willen natuurlijk niet dat iemand met een lege maag naar huis gaat! 😋 Over iO Wij zijn iO: een groeiend team van experts die end-to-end-diensten aanbieden voor communicatie en digitale transformatie. We denken groot en werken lokaal. Aan strategie, creatie, content, marketing en technologie. In nauwe samenwerking met onze klanten om hun merken te versterken, hun digitale systemen te verbeteren en hun toekomstbestendige groei veilig te stellen. We helpen klanten niet alleen hun zakelijke doelen te bereiken. Samen verkennen en benutten we de eindeloze mogelijkheden die markten in constante verandering bieden. De springplank voor die visie is talent. Onze campus is onze broedplaats voor innovatie, die een omgeving creëert die talent de ruimte en stimulans geeft die het nodig heeft om te ontkiemen, te ontwikkelen en te floreren. Want werken aan de infinite opportunities van morgen, dat doen we vandaag.

    | Coven of Wisdom Herentals

    Go to page for Coven of Wisdom - Herentals - Winter `24 edition

  • The Test Automation Meetup

    PLEASE RSVP SO THAT WE KNOW HOW MUCH FOOD WE WILL NEED Test automation is a cornerstone of effective software development. It's about creating robust, predictable test suites that enhance quality and reliability. By diving into automation, you're architecting systems that ensure consistency and catch issues early. This expertise not only improves the development process but also broadens your skillset, making you a more versatile team member. Whether you're a developer looking to enhance your testing skills or a QA professional aiming to dive deeper into automation, RSVP for an evening of learning, delicious food, and the fusion of coding and quality assurance! 🚀🚀 18:00 – 🚪 Doors open to the public 18:15 – 🍕 Let’s eat 19:00 – 📢 First round of Talks 19:45 – 🍹 Small break 20:00 – 📢 Second round of Talks 20:45 – 🍻 Drinks 21:00 – 🙋‍♀️ See you next time? First Round of Talks: The Power of Cross-browser Component Testing - Clarke Verdel, SR. Front-end Developer at iO How can you use Component Testing to ensure consistency cross-browser? Overcoming challenges in Visual Regression Testing - Sander van Surksum, Pagespeed | Web Performance Consultant and Sannie Kwakman, Freelance Full-stack Developer How can you overcome the challenges when setting up Visual Regression Testing? Second Round of Talks: Omg who wrote this **** code!? - Erwin Heitzman, SR. Test Automation Engineer at Rabobank How can tests help you and your team? Beyond the Unit Test - Christian Würthner, SR. Android Developer at iO How can you do advanced automated testing for, for instance, biometrics? RSVP now to secure your spot, and let's explore the fascinating world of test automation together!

    | Coven of Wisdom - Amsterdam

    Go to page for The Test Automation Meetup

Share

Jobs

Backend Developer

Brussel, Brussels Hoofdstedelijk Gewest, België

Senior Web Developer

Sofia, Sofia, Bulgarije

Senior Optimizely Developer

Campus onafhankelijk, Vlaams Gewest, België

.Net Developer

Antwerpen, Vlaams Gewest, België

View all jobs