<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure-Key-Vault on Tarragon</title><link>https://tarrragon.github.io/blog/tags/azure-key-vault/</link><description>Recent content in Azure-Key-Vault on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Mon, 18 May 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/azure-key-vault/index.xml" rel="self" type="application/rss+xml"/><item><title>Azure Key Vault</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/azure-key-vault/</link><pubDate>Mon, 18 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/azure-key-vault/</guid><description>&lt;p>Azure Key Vault 是 Azure 平台把 &lt;em>secret&lt;/em>、&lt;em>cryptographic key&lt;/em>、&lt;em>X.509 certificate&lt;/em> 三類資產 &lt;em>合進同一個 service&lt;/em> 的設計。Vault instance 本身是 first-class ARM resource、有 FQDN endpoint（&lt;code>https://&amp;lt;vault-name&amp;gt;.vault.azure.net&lt;/code>）、跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/azure-rbac/" data-link-title="Azure RBAC &amp;#43; Entra ID" data-link-desc="Azure 雙層身份/權限體系、Entra ID（IdP）&amp;#43; Azure RBAC（resource permission）、Conditional Access、PIM、Managed Identity">Azure RBAC&lt;/a> 跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/azure-rbac/" data-link-title="Azure RBAC &amp;#43; Entra ID" data-link-desc="Azure 雙層身份/權限體系、Entra ID（IdP）&amp;#43; Azure RBAC（resource permission）、Conditional Access、PIM、Managed Identity">Entra ID&lt;/a> Managed Identity 深度整合 — 每個 Vault 自己一個邊界、區別於 region-wide service 的模型。&lt;/p>
&lt;h2 id="服務定位">服務定位&lt;/h2>
&lt;p>Azure Key Vault 的核心定位是 &lt;em>三合一 secret + key + cert service 加 Azure-native secret-less 取用&lt;/em>。AWS 是 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/aws-secrets-manager/" data-link-title="AWS Secrets Manager" data-link-desc="AWS 原生 secret store &amp;#43; 內建 RDS / Redshift rotation Lambda、Resource Policy 跨帳號共享、KMS 加密">Secrets Manager&lt;/a> + &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/aws-kms/" data-link-title="AWS KMS" data-link-desc="AWS 原生 key management service、envelope encryption / digital signing / Multi-Region Key、Key Policy &amp;#43; Grant 雙軌授權">KMS&lt;/a> + &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/aws-acm/" data-link-title="AWS ACM" data-link-desc="AWS-managed certificate provisioning、DNS validation &amp;#43; auto-renewal、整合 ELB / CloudFront / API Gateway、Private CA 後端">ACM&lt;/a> 三個獨立 service、職責邊界清楚但要管三套權限；GCP 是 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/google-secret-manager/" data-link-title="Google Secret Manager" data-link-desc="GCP 原生 secret store、CMEK &amp;#43; Workload Identity Federation 整合、rotation 走自寫 Cloud Function 而非 built-in Lambda">Google Secret Manager&lt;/a> + &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/google-cloud-kms/" data-link-title="Google Cloud KMS" data-link-desc="GCP 原生 key management service、KeyRing / CryptoKey Version 設計、CMEK 整合 &amp;#43; Cloud HSM &amp;#43; External Key Manager">Cloud KMS&lt;/a> + Certificate Authority Service 三個獨立；Azure 把這三件事合在 Key Vault — 同一 RBAC role 可同時管 secret / key / cert、減少 IAM 維護成本、但治理上需要在 Vault 內用 &lt;em>naming convention + 多 Vault instance&lt;/em> 自己劃分敏感度邊界（例：production secret / cert 分開不同 Vault、admin access 分人）。&lt;/p></description><content:encoded><![CDATA[<p>Azure Key Vault 是 Azure 平台把 <em>secret</em>、<em>cryptographic key</em>、<em>X.509 certificate</em> 三類資產 <em>合進同一個 service</em> 的設計。Vault instance 本身是 first-class ARM resource、有 FQDN endpoint（<code>https://&lt;vault-name&gt;.vault.azure.net</code>）、跟 <a href="/blog/backend/07-security-data-protection/vendors/azure-rbac/" data-link-title="Azure RBAC &#43; Entra ID" data-link-desc="Azure 雙層身份/權限體系、Entra ID（IdP）&#43; Azure RBAC（resource permission）、Conditional Access、PIM、Managed Identity">Azure RBAC</a> 跟 <a href="/blog/backend/07-security-data-protection/vendors/azure-rbac/" data-link-title="Azure RBAC &#43; Entra ID" data-link-desc="Azure 雙層身份/權限體系、Entra ID（IdP）&#43; Azure RBAC（resource permission）、Conditional Access、PIM、Managed Identity">Entra ID</a> Managed Identity 深度整合 — 每個 Vault 自己一個邊界、區別於 region-wide service 的模型。</p>
<h2 id="服務定位">服務定位</h2>
<p>Azure Key Vault 的核心定位是 <em>三合一 secret + key + cert service 加 Azure-native secret-less 取用</em>。AWS 是 <a href="/blog/backend/07-security-data-protection/vendors/aws-secrets-manager/" data-link-title="AWS Secrets Manager" data-link-desc="AWS 原生 secret store &#43; 內建 RDS / Redshift rotation Lambda、Resource Policy 跨帳號共享、KMS 加密">Secrets Manager</a> + <a href="/blog/backend/07-security-data-protection/vendors/aws-kms/" data-link-title="AWS KMS" data-link-desc="AWS 原生 key management service、envelope encryption / digital signing / Multi-Region Key、Key Policy &#43; Grant 雙軌授權">KMS</a> + <a href="/blog/backend/07-security-data-protection/vendors/aws-acm/" data-link-title="AWS ACM" data-link-desc="AWS-managed certificate provisioning、DNS validation &#43; auto-renewal、整合 ELB / CloudFront / API Gateway、Private CA 後端">ACM</a> 三個獨立 service、職責邊界清楚但要管三套權限；GCP 是 <a href="/blog/backend/07-security-data-protection/vendors/google-secret-manager/" data-link-title="Google Secret Manager" data-link-desc="GCP 原生 secret store、CMEK &#43; Workload Identity Federation 整合、rotation 走自寫 Cloud Function 而非 built-in Lambda">Google Secret Manager</a> + <a href="/blog/backend/07-security-data-protection/vendors/google-cloud-kms/" data-link-title="Google Cloud KMS" data-link-desc="GCP 原生 key management service、KeyRing / CryptoKey Version 設計、CMEK 整合 &#43; Cloud HSM &#43; External Key Manager">Cloud KMS</a> + Certificate Authority Service 三個獨立；Azure 把這三件事合在 Key Vault — 同一 RBAC role 可同時管 secret / key / cert、減少 IAM 維護成本、但治理上需要在 Vault 內用 <em>naming convention + 多 Vault instance</em> 自己劃分敏感度邊界（例：production secret / cert 分開不同 Vault、admin access 分人）。</p>
<p>跟 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a> 相比、Azure Key Vault 是 Azure-only 的 <em>static-focused</em> 服務 — 沒有 dynamic credential engine、沒有 transit encryption-as-a-service、沒有跨雲統一介面。優勢是 <em>零運維</em> + <em>Managed Identity 取用免 client secret</em> + <em>Premium tier 直接 HSM-backed</em>。Azure-heavy + 一站式 secret/key/cert + secret-less workload 取用是 Key Vault 的甜蜜點。</p>
<h2 id="本章目標">本章目標</h2>
<p>讀完本頁、讀者能判斷：</p>
<ol>
<li>哪些 secret / key / cert 適合放 Key Vault、哪些該走 <a href="https://learn.microsoft.com/azure/key-vault/managed-hsm/overview">Managed HSM</a>（FIPS 140-2 Level 3 需求）</li>
<li>Access Policy 跟 Azure RBAC 兩種授權模型的差異與 migration 路徑</li>
<li>Soft Delete + Purge Protection 的 <em>防誤刪</em> 與 <em>防勒索</em> 邊界</li>
<li>何時用 Key Vault、何時改走 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a>（跨雲 + dynamic credential）的取捨</li>
</ol>
<h2 id="最短判讀路徑">最短判讀路徑</h2>
<p>判斷 Azure Key Vault deployment 是否健康、最少看四件事：</p>
<ul>
<li><strong>誰能 access</strong>：Vault 用 Access Policy 還是 Azure RBAC、是否還有 legacy Access Policy 沒清掉、Managed Identity 的 role assignment 是否最小化（Key Vault Secrets User 而非 Key Vault Administrator）</li>
<li><strong>RBAC vs Access Policy 模型</strong>：production 應該全走 Azure RBAC（跟 <a href="/blog/backend/07-security-data-protection/vendors/azure-rbac/" data-link-title="Azure RBAC &#43; Entra ID" data-link-desc="Azure 雙層身份/權限體系、Entra ID（IdP）&#43; Azure RBAC（resource permission）、Conditional Access、PIM、Managed Identity">Azure RBAC vendor</a> 同套）、舊 Access Policy 是 migration backlog、不可長期兩軌並存</li>
<li><strong>Soft Delete + Purge Protection</strong>：兩個都應開、Soft Delete 90 天 retention、Purge Protection 開了之後連 owner 都不能立即 purge — 防誤刪 + 防 ransomware 一次性刪光</li>
<li><strong>Diagnostic Logs</strong>：Key Vault <em>預設不記操作 log</em>、必須手動配 Diagnostic Setting 推 Log Analytics / Event Hub / Storage — 沒這層 <code>KeyVaultGet</code> / <code>SecretGet</code> 都沒 audit trail</li>
</ul>
<p>四件事任一缺失、就是 <a href="/blog/backend/knowledge-cards/audit-log/" data-link-title="Audit Log" data-link-desc="說明高風險操作如何留下可追溯、可稽核的紀錄">Audit Log</a> 與 <a href="/blog/backend/knowledge-cards/secret-management/" data-link-title="Secret Management" data-link-desc="說明 token、key、password 與憑證如何保存、輪替與撤銷">Secret Management</a> 邊界的待補項目。</p>
<h2 id="日常操作與決策形狀">日常操作與決策形狀</h2>
<p><strong>Vault Standard vs Premium</strong>：Standard 用 software protection（key 存在 Microsoft-managed software boundary）、Premium 用 FIPS 140-2 Level 2 HSM-backed key、key material 在 HSM 內、不可 export。Premium 適合 <em>signing key / wrapping key 等高敏 key</em>、Standard 適合 <em>application secret + 常規 envelope encryption key</em>。要 FIPS 140-2 Level 3、Standard 跟 Premium 都不夠、必須用 Managed HSM。</p>
<p><strong>Access Policy vs Azure RBAC（兩種授權）</strong>：Access Policy 是 Key Vault legacy 模型 — 在 Vault 物件上掛一張 capability 表（Get / List / Set / Delete / Encrypt / Sign 等細粒度權限）、跟 Azure RBAC 體系獨立。Azure RBAC 模型是新版 — 用 Azure built-in role（Key Vault Secrets User / Key Vault Crypto User / Key Vault Administrator）走 <a href="/blog/backend/07-security-data-protection/vendors/azure-rbac/" data-link-title="Azure RBAC &#43; Entra ID" data-link-desc="Azure 雙層身份/權限體系、Entra ID（IdP）&#43; Azure RBAC（resource permission）、Conditional Access、PIM、Managed Identity">Entra ID</a> 統一身份治理。production 全走 RBAC、舊 Vault 的 Access Policy 是 migration backlog — 兩軌並存會出現 <em>RBAC 拒絕但 Access Policy 允許</em> 的權限漏洞。</p>
<p><strong>Managed Identity 取用（secret-less）</strong>：Azure VM / Function / App Service / AKS pod 走 <em>Managed Identity</em> 直接呼叫 Key Vault API — 不需要存 client secret 或 cert。Workload 拿 IMDS token、token 帶 Entra ID identity、Key Vault 端用 RBAC role assignment 驗證 — 這是 Azure-native 的 secret-less 取用模式、跟 <a href="/blog/backend/07-security-data-protection/vendors/aws-iam/" data-link-title="AWS IAM" data-link-desc="AWS cloud resource permission engine、Role / Policy / STS、跨帳號信任邊界與 OIDC federation 的核心">AWS IAM Role for Service Account</a> / <a href="/blog/backend/07-security-data-protection/vendors/google-cloud-iam/" data-link-title="Google Cloud IAM" data-link-desc="GCP cloud resource permission engine、Role Binding / Service Account / Workload Identity Federation、resource hierarchy 為核心的權限治理">GCP Workload Identity</a> 同類設計。production 應該 <em>只允許</em> Managed Identity 取用、禁用 service principal + client secret。</p>
<p><strong>Secret rotation（手動 / event-driven）</strong>：Key Vault Secret <em>沒有像 <a href="/blog/backend/07-security-data-protection/vendors/aws-secrets-manager/" data-link-title="AWS Secrets Manager" data-link-desc="AWS 原生 secret store &#43; 內建 RDS / Redshift rotation Lambda、Resource Policy 跨帳號共享、KMS 加密">AWS Secrets Manager</a> 內建的 rotation Lambda</em>。Rotation 走兩條路：手動更新 secret version（app 端拉新版）、或 Event Grid 通知 secret 過期 + Azure Function 觸發 rotation。後者需要自己寫 rotation logic、Key Vault 只提供 <em>版本管理</em> 跟 <em>過期通知</em>、不負責執行 rotation。</p>
<p><strong>Key Rotation Policy</strong>：Key（不是 Secret）有 native Rotation Policy — Vault 在 key 到期前自動生成新版、舊版保留可解密但不再 encrypt。policy 設 <code>rotationPeriod</code> + <code>notifyBeforeExpiry</code>、Key Vault 自動跑、不需要外部觸發。Secret 沒這功能、Key 才有。</p>
<p><strong>Certificate auto-renewal</strong>：Certificate object 可整合 <em>Issuer</em>（DigiCert / GlobalSign / 自簽）做 auto-issue + auto-renew — Key Vault 在到期前自動跑 CSR、向 Issuer 申請新 cert、寫回同一個 Certificate object（保留歷史版本）。比起手動跑 OpenSSL + 寫進 <a href="/blog/backend/07-security-data-protection/vendors/aws-acm/" data-link-title="AWS ACM" data-link-desc="AWS-managed certificate provisioning、DNS validation &#43; auto-renewal、整合 ELB / CloudFront / API Gateway、Private CA 後端">AWS ACM</a>、Certificate object 的優勢是 <em>Issuer 在 Vault 端統一治理</em> — 不過只支援整合過的 public CA。</p>
<p><strong>Soft Delete + Purge Protection</strong>：Soft Delete 預設開（2020 後新 Vault 強制開）、delete 後 90 天 retention、Recover 可救回。Purge Protection 是 <em>額外</em> 開關 — 開了之後 retention 內任何人（包含 subscription owner）都不能 <code>purge</code> 立即清除、必須等 90 天到期才會物理刪除。這是 <em>防勒索</em> 的關鍵 — 沒 Purge Protection、attacker 拿到 owner role 可以 delete + purge 一次性清光。</p>
<p><strong>Private Endpoint</strong>：Key Vault 預設是 public endpoint（FQDN 走 internet）。Private Endpoint 把 Vault 拉進 VNet、只走內網存取 — 高敏 Vault 應該關 public access、強制走 Private Endpoint + Firewall rule（IP 白名單）。</p>
<h2 id="核心取捨表">核心取捨表</h2>
<table>
  <thead>
      <tr>
          <th>取捨維度</th>
          <th>Azure Key Vault</th>
          <th>AWS（拆三個）</th>
          <th>GCP（拆三個）</th>
          <th>HashiCorp Vault</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>部署模型</td>
          <td>Azure managed、三合一</td>
          <td>AWS managed、Secrets Manager + KMS + ACM 各獨立</td>
          <td>GCP managed、GSM + Cloud KMS + CAS 各獨立</td>
          <td>自管或 HCP managed</td>
      </tr>
      <tr>
          <td>服務邊界</td>
          <td>一個 Vault 內 secret/key/cert 共用 ACL</td>
          <td>三個 service 各自 IAM policy、邊界清楚</td>
          <td>三個 service 各自 IAM policy</td>
          <td>一個 cluster 內 path-based policy</td>
      </tr>
      <tr>
          <td>Secret-less 取用</td>
          <td>Managed Identity 原生</td>
          <td>IAM Role for Service Account / IRSA</td>
          <td>Workload Identity Federation</td>
          <td>AppRole / K8s / cloud IAM auth</td>
      </tr>
      <tr>
          <td>Dynamic credential</td>
          <td>無 — 純 static</td>
          <td>部分（RDS rotation Lambda）</td>
          <td>較弱（依靠 IAM impersonation）</td>
          <td>強 — database / cloud / SSH engine</td>
      </tr>
      <tr>
          <td>HSM 等級</td>
          <td>Standard 軟體 / Premium FIPS 140-2 Level 2 / Managed HSM Level 3</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/aws-kms/" data-link-title="AWS KMS" data-link-desc="AWS 原生 key management service、envelope encryption / digital signing / Multi-Region Key、Key Policy &#43; Grant 雙軌授權">KMS</a> Level 3 / <a href="/blog/backend/07-security-data-protection/vendors/cloudhsm/" data-link-title="AWS CloudHSM" data-link-desc="Single-tenant dedicated HSM（FIPS 140-2 Level 3）、AWS 不持 Crypto User credential、合規 &#43; 資料主權場景的 key custody">CloudHSM</a> Level 3</td>
          <td>Cloud KMS HSM Level 3 / Cloud HSM Level 3</td>
          <td>走後端 KMS（AWS / GCP / Azure）</td>
      </tr>
      <tr>
          <td>Certificate auto-renew</td>
          <td>內建（整合 DigiCert / GlobalSign）</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/aws-acm/" data-link-title="AWS ACM" data-link-desc="AWS-managed certificate provisioning、DNS validation &#43; auto-renewal、整合 ELB / CloudFront / API Gateway、Private CA 後端">ACM</a> auto-renew、限 AWS-issued</td>
          <td>CAS + Public CA 整合</td>
          <td>PKI engine 自簽 + <a href="/blog/backend/07-security-data-protection/vendors/cert-manager/" data-link-title="cert-manager" data-link-desc="K8s 原生 certificate lifecycle automation、支援 Let&#39;s Encrypt / Vault PKI / Venafi 等多 issuer、auto-renewal &#43; Challenge solver">cert-manager</a></td>
      </tr>
      <tr>
          <td>跨雲</td>
          <td>弱 — Azure-only</td>
          <td>弱 — AWS-only</td>
          <td>弱 — GCP-only</td>
          <td>強 — 跨雲統一介面</td>
      </tr>
      <tr>
          <td>適合場景</td>
          <td>Azure-heavy + 三合一一站式 + Managed Identity</td>
          <td>AWS-heavy + 職責拆分 + RDS 自動 rotation</td>
          <td>GCP-heavy + Workload Identity Federation</td>
          <td>跨雲 + dynamic credential + 內部 PKI</td>
      </tr>
  </tbody>
</table>
<p>選 Azure Key Vault 的核心訴求：<em>Azure-only</em>、需要 <em>secret + key + cert</em> 一站式、workload 走 <em>Managed Identity</em> secret-less 取用、可接受 <em>無 dynamic credential</em>。需要跨雲統一 secret 控制面、或要 dynamic database credential、走 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a>。</p>
<h2 id="進階主題">進階主題</h2>
<p><strong>Managed HSM（dedicated）</strong>：Managed HSM 是 <em>dedicated single-tenant HSM cluster</em>、FIPS 140-2 Level 3、跟 multi-tenant 的 Key Vault Premium 是不同 service。Managed HSM 適合 <em>主權合規</em>（key material 完全自有控制權、Microsoft 也不可存取）、<em>金融 / 醫療 / 政府場景</em>。代價是 <em>貴</em> 跟 <em>初始化要走 ceremony</em>（多人持有 activation key、Microsoft 不可單方面操作）— 不是 Premium 的簡單升級、是另一條 product line。</p>
<p><strong>Premium tier HSM-backed Key</strong>：Premium tier 的 key 有 <code>HSM-protected</code> 屬性、key material 在 multi-tenant HSM 內、API call 還是走標準 Key Vault endpoint、但 cryptographic operation 在 HSM 跑。比 Standard 慢一點、價格高、適合 <em>signing key / wrapping key / root encryption key</em> — 一般 application secret 還是 Standard 即可。</p>
<p><strong>Certificate Issuer 整合</strong>：Vault 內可註冊 Issuer（DigiCert / GlobalSign / Entrust）、提供 API credential、Vault 在 Certificate 到期前自動跑 CSR、向 Issuer 申請、Issuer 簽完寫回 Vault。Self-signed / Unknown Issuer 也支援、後者表示 <em>Vault 產 CSR、人或 pipeline 拿去外部 CA 簽完再 import 回 Vault</em>。</p>
<p><strong>Cross-tenant key access（federated identity）</strong>：Key Vault 可允許跨 Entra ID tenant 的 service principal 取用 — 透過 Federated Identity Credential（Workload Identity Federation）、外部 tenant 的 identity（甚至 GitHub Actions OIDC、AWS workload）拿 token 來 Key Vault 驗證。這是 cross-cloud workload 拉 Azure secret 的方式、不需要存 Azure service principal credential。</p>
<p><strong>跟 <a href="/blog/backend/07-security-data-protection/vendors/azure-rbac/" data-link-title="Azure RBAC &#43; Entra ID" data-link-desc="Azure 雙層身份/權限體系、Entra ID（IdP）&#43; Azure RBAC（resource permission）、Conditional Access、PIM、Managed Identity">Entra ID</a> Conditional Access 整合</strong>：Key Vault 用 Azure RBAC 模型時、可走 Conditional Access policy — <em>特定 IP</em>、<em>已 enrolled 裝置</em>、<em>MFA 已驗證</em> 才能取用 secret / key。production 高敏 Vault 應該疊 Conditional Access、避免單純 RBAC 在 token leak 時就直接被存取。</p>
<h2 id="排錯與失敗快速判讀">排錯與失敗快速判讀</h2>
<ul>
<li><strong>Diagnostic Setting 沒開</strong>：production Vault 啟用後忘了配 Diagnostic Setting 推 log、事故發生時無 <code>SecretGet</code> / <code>KeyDecrypt</code> 紀錄 — 啟動 checklist 必含「Diagnostic Setting → Log Analytics」、Azure Policy 強制全 subscription Vault 都配</li>
<li><strong>Access Policy 跟 RBAC 兩軌並存</strong>：migration 過程中 RBAC 已切換但舊 Access Policy 沒清、出現 <em>RBAC 拒絕但 Access Policy 允許</em> — migration 一次切斷、跑 <code>az keyvault update --enable-rbac-authorization true</code> 後清空所有 Access Policy</li>
<li><strong>Soft Delete 沒開 / Purge Protection 沒開</strong>：誤刪 secret 救不回、或 attacker 拿到 owner role 一次 purge 清光 — 新 Vault 兩個都強制開、Azure Policy 阻擋 <code>enablePurgeProtection: false</code> 的 Vault 建立</li>
<li><strong>Managed Identity role 過寬</strong>：給 workload identity <code>Key Vault Administrator</code> 而非 <code>Key Vault Secrets User</code> — workload 拿到 admin role 等於可改 ACL — role assignment 走 least privilege built-in role</li>
<li><strong>Premium key 跑非 HSM operation</strong>：Premium key 配錯 attribute、key 變成 software-protected 而非 HSM-protected — 建 key 時明示 <code>--protection hsm</code>、CI 驗證 key attribute</li>
<li><strong>Certificate auto-renew Issuer credential 過期</strong>：Vault 內 DigiCert API credential 過期、auto-renew 默默失敗、cert 到期前才發現 — Issuer credential 也要 rotation + monitor</li>
<li><strong>Public access 開著</strong>：Vault 沒關 public endpoint、secret 暴露在 internet（雖然有 RBAC、但 attack surface 多一層）— 高敏 Vault 強制 Private Endpoint + Firewall rule</li>
</ul>
<h2 id="何時改走其他服務">何時改走其他服務</h2>
<table>
  <thead>
      <tr>
          <th>需求形狀</th>
          <th>改走</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>跨雲統一 secret 控制面</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a></td>
      </tr>
      <tr>
          <td>Dynamic database / cloud credential</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a>（database / cloud secret engine）</td>
      </tr>
      <tr>
          <td>FIPS 140-2 Level 3 HSM</td>
          <td><a href="https://learn.microsoft.com/azure/key-vault/managed-hsm/overview">Managed HSM</a> / <a href="/blog/backend/07-security-data-protection/vendors/cloudhsm/" data-link-title="AWS CloudHSM" data-link-desc="Single-tenant dedicated HSM（FIPS 140-2 Level 3）、AWS 不持 Crypto User credential、合規 &#43; 資料主權場景的 key custody">CloudHSM</a></td>
      </tr>
      <tr>
          <td>內部 PKI workload mTLS</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/cert-manager/" data-link-title="cert-manager" data-link-desc="K8s 原生 certificate lifecycle automation、支援 Let&#39;s Encrypt / Vault PKI / Venafi 等多 issuer、auto-renewal &#43; Challenge solver">cert-manager</a> + Vault PKI / SPIRE</td>
      </tr>
      <tr>
          <td>公開 web cert 自動更新（非 Azure-issued）</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/letsencrypt/" data-link-title="Let&#39;s Encrypt" data-link-desc="免費 &#43; 自動化的公共 ACME CA、90 天 TTL 強制自動化、跨雲跨平台 public TLS cert 的事實基礎">Let&rsquo;s Encrypt</a> + cert-manager</td>
      </tr>
      <tr>
          <td>Entra ID 身份治理 / Conditional Access</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/azure-rbac/" data-link-title="Azure RBAC &#43; Entra ID" data-link-desc="Azure 雙層身份/權限體系、Entra ID（IdP）&#43; Azure RBAC（resource permission）、Conditional Access、PIM、Managed Identity">Azure RBAC</a></td>
      </tr>
      <tr>
          <td>Secret rotation 證據鏈</td>
          <td><a href="/blog/backend/07-security-data-protection/credential-rotation-scoped-evidence/" data-link-title="7.27 Credential Rotation with Scoped Evidence 實作示範" data-link-desc="以 webhook/API credential 輪替示範 scope map、證據欄位與回退窗口如何一起設計。">7.5 Credential Rotation Scoped Evidence</a></td>
      </tr>
  </tbody>
</table>
<h2 id="不在本頁內的主題">不在本頁內的主題</h2>
<ul>
<li>Key Vault REST API / Azure CLI 完整 reference</li>
<li>Managed HSM activation ceremony 完整步驟</li>
<li>Bicep / Terraform 配置 Key Vault 的完整 IaC 範例</li>
<li>Certificate Issuer（DigiCert / GlobalSign）的合約與計價細節</li>
<li>每個 Entra ID role 的細粒度 permission map</li>
</ul>
<h2 id="案例回寫">案例回寫</h2>
<table>
  <thead>
      <tr>
          <th>案例</th>
          <th>跟 Azure Key Vault 的關係</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/cases/azure-ad-identity-control-plane-2021/" data-link-title="7.C3 Azure AD：2021 Identity Control-plane 事件" data-link-desc="身分控制面事件如何影響多服務信任鏈與回復優先序。">Azure AD Identity Control Plane 2021</a></td>
          <td>Key Vault 是身份控制面下游、Entra ID 出事時 Managed Identity 取 Vault 也失敗 — 需要 fallback access plan（emergency Access Policy + separate identity 走 break-glass）</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/cases/microsoft-storm-0558-signing-key-2023/" data-link-title="7.C4 Microsoft：Storm-0558 簽章金鑰事件" data-link-desc="簽章金鑰事件如何回寫 identity 信任邊界與觀測證據鏈。">Microsoft Storm-0558 Signing Key 2023</a></td>
          <td>Key Vault Premium / Managed HSM 把 signing key 鎖硬體、key 不離保護邊界、跟 HSM-bound 同 mindset — signing key 必上 Premium 或 Managed HSM、不放 Standard</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/identity-access/microsoft-storm-0558-2023-signing-key-chain/" data-link-title="7.R7.1.5 Microsoft Storm-0558 2023：簽章金鑰鏈與郵件存取" data-link-desc="從簽章金鑰保護失效到雲端郵件存取，拆解身分信任鏈的關鍵控制點">Microsoft Storm-0558 Signing Key Chain (red-team)</a></td>
          <td>Asymmetric Key + Diagnostic Logs 是「誰用 key」的稽核基礎 — production Vault 必開 Diagnostic Setting 推 SIEM、不然 key 被誰用過完全沒紀錄</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/cases/failure-credential-rotation-without-scope/" data-link-title="7.C9 反例：憑證輪替未分 Scope" data-link-desc="憑證輪替若未分域分批，容易造成跨系統連鎖中斷。">Failure: Credential Rotation Without Scope</a></td>
          <td>Key Vault Secret 跨 service 共用時 rotation 要分域 — Vault 端用 Event Grid 通知 + app 端訂閱 rotation event、不能一次 push 全域更新</td>
      </tr>
  </tbody>
</table>
<h2 id="下一步路由">下一步路由</h2>
<ul>
<li>上游：<a href="/blog/backend/07-security-data-protection/secrets-and-machine-credential-governance/" data-link-title="7.6 秘密管理與機器憑證治理" data-link-desc="以問題驅動方式整理 secret、token、key 與機器身份治理">7.6 秘密管理與機器憑證治理</a>、<a href="/blog/backend/07-security-data-protection/transport-trust-and-certificate-lifecycle/" data-link-title="7.5 傳輸信任與憑證生命週期" data-link-desc="以問題驅動方式整理傳輸信任鏈、會話完整性與憑證節奏">7.5 傳輸信任與憑證生命週期</a>（Key Vault Certificate + Managed HSM 為 TLS / signing key 的 root custodian）、<a href="/blog/backend/07-security-data-protection/identity-access-boundary/" data-link-title="7.2 身分與授權邊界" data-link-desc="以問題驅動方式整理身分、授權、會話與供應商身分鏈">7.2 身分與授權邊界</a></li>
<li>平行（secret store）：<a href="/blog/backend/07-security-data-protection/vendors/aws-secrets-manager/" data-link-title="AWS Secrets Manager" data-link-desc="AWS 原生 secret store &#43; 內建 RDS / Redshift rotation Lambda、Resource Policy 跨帳號共享、KMS 加密">AWS Secrets Manager</a>、<a href="/blog/backend/07-security-data-protection/vendors/google-secret-manager/" data-link-title="Google Secret Manager" data-link-desc="GCP 原生 secret store、CMEK &#43; Workload Identity Federation 整合、rotation 走自寫 Cloud Function 而非 built-in Lambda">Google Secret Manager</a>、<a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a></li>
<li>平行（KMS-class）：<a href="/blog/backend/07-security-data-protection/vendors/aws-kms/" data-link-title="AWS KMS" data-link-desc="AWS 原生 key management service、envelope encryption / digital signing / Multi-Region Key、Key Policy &#43; Grant 雙軌授權">AWS KMS</a>、<a href="/blog/backend/07-security-data-protection/vendors/google-cloud-kms/" data-link-title="Google Cloud KMS" data-link-desc="GCP 原生 key management service、KeyRing / CryptoKey Version 設計、CMEK 整合 &#43; Cloud HSM &#43; External Key Manager">Google Cloud KMS</a>、<a href="/blog/backend/07-security-data-protection/vendors/cloudhsm/" data-link-title="AWS CloudHSM" data-link-desc="Single-tenant dedicated HSM（FIPS 140-2 Level 3）、AWS 不持 Crypto User credential、合規 &#43; 資料主權場景的 key custody">CloudHSM</a>（Key Vault 是跨類 vendor、同時是 secret store 跟 key management）</li>
<li>下游：<a href="/blog/backend/07-security-data-protection/vendors/azure-rbac/" data-link-title="Azure RBAC &#43; Entra ID" data-link-desc="Azure 雙層身份/權限體系、Entra ID（IdP）&#43; Azure RBAC（resource permission）、Conditional Access、PIM、Managed Identity">Azure RBAC</a>（Managed Identity + RBAC 取用模型）</li>
<li>下游：<a href="/blog/backend/07-security-data-protection/vendors/cert-manager/" data-link-title="cert-manager" data-link-desc="K8s 原生 certificate lifecycle automation、支援 Let&#39;s Encrypt / Vault PKI / Venafi 等多 issuer、auto-renewal &#43; Challenge solver">cert-manager</a>（K8s workload cert 自動化、可整合 Key Vault Certificate）</li>
<li>跨模組：<a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a>（Key Vault 事件如何 routing 進 IR 流程）</li>
<li>官方：<a href="https://learn.microsoft.com/azure/key-vault/">Azure Key Vault Documentation</a></li>
</ul>
]]></content:encoded></item></channel></rss>