Key Vault Monitoring and Alerts Approach Using Azure Event Grid and Azure Automation Account
We know Azure Key Vault provides a safe and easy way to store client secrets, API keys, password, connection string and certificates, etc. Henceforward, it’s required to monitor the key vault’s following activities in security and audit perspective –
- Change event logs of key vault
- Change keys stored in key vault
- Change policies in key vault, etc.
Scope Definition
Here, we talk about the Key Vault monitoring, which means fetching key’s change events using Event Grid and Azure Automation Account (e.g. Webhook, Runbook). Key Vault integration with Azure Event Grid (preview) allows to be notified when one of the secrets in the key Vault is about to expire, expired, or a new version available.
In fact, the status change makes an HTTP POST to the endpoint and a Webhook triggers the Automation execution of a PowerShell script.
In addition, under the Events of Key Vault, we can configure Event Subscription with selection of an endpoint that would be previously implemented Webhook URL treated as Subscriber Endpoint.
Now any event concerned to Key Vault like new secrets or any changes would be captured by the Event Grid successfully. Under Metrics we can verify the event as well do a cross check the trigger status of Webhook.
Scope Implementation
Considering this activity as a demo, I’ll go with same test Key Vault, where each change event of keys or secrets can be captured by the Event Grid and Webhook. In parallel, we can trigger the alert mail by using the Logic App on top of Event Grid implementation and SendGrid account.
In brief, the following resources would be covered in this hands-on activity:
- Key Vault
- Event Grid
- Webhook/Runbook (Automation Account)
- Logic Apps
- SendGrid
Prepare Runbook
Before proceeding, it’s required to create a PowerShell type of Runbook and publish the same using some snippet of code to make sure to receive POST request.
Prepare Webhook
Next, required to create a Webhook to trigger the newly above created Runbook. Here one thing needs to consider during the creation of Webhook, must copy the URL and save somewhere else because it can't view later onward.
Prepare Event Grid Subscription
Move inside the Key Vault and click the Event (Preview). It’s required to submit the pre-requisite details like Filter of Event Types and Endpoint Type etc.
Must go with all options selected under the Filter to Event Types and select Webhook for Endpoint Type. Here, in the new context pane, need to paste the same Webhook URL from that we copied during creation of Webhook into the Subscriber Endpoint field.
Prepare Logic Apps via Event Grid
Next, move to Key Vault, select Events - Get Started and click Logic Apps.
Over Logic Apps Designer need to validate the connection and proceed further. Here, we can select all change events under Event Type Item to catch all changes simultaneously.
We can utilize a mail specific action, i.e. SendGrid and using its account and API details to trigger the email. It’s required to build an email template including dynamic content based on event data.
Validate the Event Grid
In validation perspective, we can do some activity over the Key Vault, like creating a new key or secret, generate a new version or change policy, etc. Even we can set the expiry date bit early so service will catch the event.
Whenever any event occurs, the same used to capture by the Event Grid and can be seen under Metrics of the Event Grid.
In addition, we can validate using the Webhook, the "last triggered" time stamp should be within 60 seconds of the change of key or secret. It confirms that Event Grid made a POST to the Webhook with the event details of the status change in the Key Vault and that the Webhook was triggered.
Validate Logic Apps & Email Alert
Similar to the Event Grid and Webhook, the Logic App triggers the mail using SendGrid account with all event details.
Thus, we can monitor the Key vault by getting the alerts on top of raised events, for example the following –
- Keys about to expire
- Keys expired
- Keys have been created
- Policy has been changed
