Ensure that Microsoft Defender for Cloud is enabled for Azure key vaults. Key Vault is the Azure cloud service that safeguards encryption keys and secrets like certificates, connection-based strings, and passwords.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
By default, Microsoft Defender for Cloud is disabled for Azure key vaults. Defender for Cloud detects unusual and potentially harmful attempts to access or exploit your Azure Key Vault data. This layer of protection allows you to address threats without being a security expert, and without the need to use and manage third-party security monitoring tools or services.
Audit
To determine if the Microsoft Defender for Cloud security service is enabled for Azure key vaults, perform the following operations:
Remediation / Resolution
To enable Microsoft Defender for Cloud for your Microsoft Azure key vaults, perform the following operations:
Note: Turning on Defender for Cloud for the specified resource type (i.e. key vaults) incurs an additional cost per resource.References
- Azure Official Documentation
- Microsoft Defender for Cloud documentation
- What is Microsoft Defender for Cloud?
- Microsoft Defender for Cloud pricing
- Microsoft Defender for Cloud's enhanced security features
- Introduction to Microsoft Defender for Key Vault
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az
- az account get-access-token