TL;DR
Yes, storing sensitive configuration data directly within your Azure App Service’s application settings (especially connection strings and API keys) without proper protection is a significant vulnerability. It’s easily accessible to anyone with sufficient permissions and can lead to serious security breaches.
Solution Guide: Securing Your Azure App Service Configuration
- Understand the Risk
- Application settings in Azure App Service are stored as key-value pairs.
- If these settings contain secrets (passwords, API keys, database connection strings), they become a target for attackers.
- Anyone with access to your Azure portal or the underlying infrastructure could potentially view and misuse this information.
- Azure Key Vault is a secure cloud service designed to store secrets, keys, and certificates. It provides centralized secret management with access control, auditing, and encryption.
-
Step 1: Create a Key Vault.
In the Azure portal, search for ‘Key Vault’ and create a new instance.
-
Step 2: Add Secrets to Key Vault.
Within your Key Vault, add each secret individually. Give each secret a descriptive name.
-
Step 3: Grant App Service Access.
Navigate to your App Service and go to ‘Identity’. Enable ‘System assigned managed identity’ and save it.
Then, in Key Vault, go to ‘Access policies’, add a policy for the App Service’s system-assigned identity with permissions like ‘Get secret’, ‘List secrets’.
-
Step 4: Configure App Service to use Key Vault.
In your App Service, go to ‘Configuration’ under ‘Settings’. Add new application settings.
For the value of each setting, use the following format:
@Microsoft.KeyVault(vaultUrl=https://your-key-vault-name.vault.azure.net/secrets/your-secret-name)Replace
your-key-vault-nameandyour-secret-namewith your actual Key Vault name and secret name.
- Limit access to the Azure portal and App Service configuration settings. Only grant necessary permissions to authorized personnel.
- Use built-in roles or create custom roles with specific privileges.
- Periodically change your secrets (passwords, API keys) to minimize the impact of a potential compromise.
- Automate secret rotation whenever possible using Azure Key Vault features or third-party tools.
- Enable auditing in Azure Key Vault to track access to your secrets.
- Review audit logs regularly for suspicious activity.
- Use Azure Monitor alerts to notify you of unauthorized access attempts.
- Instead of storing credentials in configuration, use managed identities to authenticate your App Service to other Azure resources. This eliminates the need for secrets altogether.