Secrets management using Azure Managed HSM
Using Managed HSM to wrap secrets stored in Key Vault
Has being compliant with FIPS 140-2 ever struck fear in your soul? Recently, a customer asked about implementing Azure services that had keys and secrets backed by a FIPS 140-2 Level 3 validated cryptographic module. All of a sudden, I found myself back at RSA in a secured data-center rotating keys on an nCipher Hardware Security Module (HSM) (if you know, you know). In this blog post, I share my design and example scripts for a solution that met the customer’s compliance requirements.
Restrict network access to Azure Storage Accounts
Recently, one of my customers asked for a detective and preventive Azure policy for Storage Accounts. The requirements for the policy were to limit Storage Accounts to only use Private Endpoints. I was surprised by the request as I assumed that a policy definition with these requirements existed in the built-in set. In this blog post, I review the built-in policies, the process I used to create one to meet the requirements, and the quirks I discovered along the way.
User Assigned Managed Identity using an ARM template
The Azure Image Builder (AIB) Service is a managed service empowering users to customize machine images using a standardized process. As part of the prerequisites, the user is required to instantiate a user-assigned managed identity (UMI) with a custom role to ensure least privilege for the service. In this post, I explain how I translated the documented requirements to an ARM template to facilitate deployment of the prerequisite resources.
Moving resources in Azure
Toward the end of the year, one of my customers mentioned that they were reorganizing the resources in their subscriptions. This isn’t unusual for any enterprise that is further along in their cloud adoption journey and is an excellent measure of increased maturity. For those of you reading this with AWS expertise know that this is a effectively an automation exercise of shutting down VMs, copying data, and spinning up new instances in the target region/account. Microsoft recognized this as a problem and announced the Azure Resource Mover at Ignite 2020. In this post, I’ll describe how my customer used the Resource Mover and the edge cases that we encountered along the way.
SSH Key Management in Azure
Where are the keys?
The last post in this series addressed the authorization required to generate SSH keys in Azure when creating Linux VMs through the portal. In this post, I identify the differences in key generation workflows and identify unexpected locations for stored key data.