Azure App Service: Exposed Configuration

TL;DR

Yes, storing sensitive configuration data directly within your Azure App Service’s application settings (especially connection strings and API keys) without proper protection is a significant vulnerability. It’s easily accessible to anyone with sufficient permissions and can lead to serious security breaches.

Solution Guide: Securing Your Azure App Service Configuration

1. Understand the Risk
• Application settings in Azure App Service are stored as key-value pairs.
• If these settings contain secrets (passwords, API keys, database connection strings), they become a target for attackers.
• Anyone with access to your Azure portal or the underlying infrastructure could potentially view and misuse this information.
2. Use Azure Key Vault
• Azure Key Vault is a secure cloud service designed to store secrets, keys, and certificates. It provides centralized secret management with access control, auditing, and encryption.

• Step 1: Create a Key Vault.

  In the Azure portal, search for ‘Key Vault’ and create a new instance.

• Step 2: Add Secrets to Key Vault.

  Within your Key Vault, add each secret individually. Give each secret a descriptive name.

• Step 3: Grant App Service Access.

  Navigate to your App Service and go to ‘Identity’. Enable ‘System assigned managed identity’ and save it.

  Then, in Key Vault, go to ‘Access policies’, add a policy for the App Service’s system-assigned identity with permissions like ‘Get secret’, ‘List secrets’.

• Step 4: Configure App Service to use Key Vault.

  In your App Service, go to ‘Configuration’ under ‘Settings’. Add new application settings.

  For the value of each setting, use the following format:

  @Microsoft.KeyVault(vaultUrl=https://your-key-vault-name.vault.azure.net/secrets/your-secret-name)

  Replace your-key-vault-name and your-secret-name with your actual Key Vault name and secret name.

3. Implement Role-Based Access Control (RBAC)
• Limit access to the Azure portal and App Service configuration settings. Only grant necessary permissions to authorized personnel.
• Use built-in roles or create custom roles with specific privileges.
4. Regularly Rotate Secrets
• Periodically change your secrets (passwords, API keys) to minimize the impact of a potential compromise.
• Automate secret rotation whenever possible using Azure Key Vault features or third-party tools.
5. Monitor and Audit Access
• Enable auditing in Azure Key Vault to track access to your secrets.
• Review audit logs regularly for suspicious activity.
• Use Azure Monitor alerts to notify you of unauthorized access attempts.
6. Consider Managed Identities
• Instead of storing credentials in configuration, use managed identities to authenticate your App Service to other Azure resources. This eliminates the need for secrets altogether.