Scribd
Upload
288 views5 pages

Monitoring and Alerting For Azure Key Vault

The document discusses monitoring and alerting for events in Azure Key Vault. It describes how Key Vault allows setting expiry dates for stored entities and monitoring for upcoming or passed expiry dates. It also discusses how Event Grid enables notifications when secret statuses change, such as nearing expiration, expiration, or new versions. Specific event types for each secret type are listed. The document then describes designing a Logic App to subscribe to Key Vault events via Event Grid and handle the events, such as notifying administrators of status changes.

Uploaded by

Poojith Jain
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
288 views5 pages

Monitoring and Alerting For Azure Key Vault

The document discusses monitoring and alerting for events in Azure Key Vault. It describes how Key Vault allows setting expiry dates for stored entities and monitoring for upcoming or passed expiry dates. It also discusses how Event Grid enables notifications when secret statuses change, such as nearing expiration, expiration, or new versions. Specific event types for each secret type are listed. The document then describes designing a Logic App to subscribe to Key Vault events via Event Grid and handle the events, such as notifying administrators of status changes.

Uploaded by

Poojith Jain
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Monitoring and alerting for Azure Key

Vault
Alerting Key vault events
The azure key vault provides the option to set the expiry when we provision/store an entity in the
Key Vault. We can then monitor events related to an upcoming expiry date. In the Azure Key vault,
we can store three types of information.
• Keys
• Secrets
• Certificates

Azure Key vault provides mechanism to trigger events when the status of a secret stored in key vault
has changed. Key Vault integration with Event Grid allows users to be notified when the status of a
secret stored in key vault has changed. A status change is defined as a secret that is about to expire
(30 days before expiration), a secret that has expired, or a secret that has a new version available.
Notifications for all three secret types (key, certificate, and secret) are supported.
• NewVersionCreated: Triggers when an entity or entity version is created.
• NearExpiry: Triggers when the currents version is about to expire (30 days) as mentioned
in the expiry date of the Key vault record.
• Expired: riggers when the currents version is expired as mentioned in the expiry date of
the Key vault record.

Event full name Event display name Description

Microsoft.KeyVault.Certificate Certificate New Triggered when a new certificate or new


NewVersionCreated Version Created certificate version is created.

Microsoft.KeyVault.Certificate Certificate Near Triggered when the current version of


NearExpiry Expiry certificate is about to expire. (The event is
triggered 30 days before the expiration date.)
Microsoft.KeyVault.Certificate Certificate Expired Triggered when the certificate is expired.
Expired
Microsoft.KeyVault.KeyNewVe Key New Version Triggered when a new key or new key version
rsionCreated Created is created.

Microsoft.KeyVault.KeyNearEx Key Near Expiry Triggered when the current version of a key is
piry about to expire. (The event is triggered 30 days
before the expiration date.)
Microsoft.KeyVault.KeyExpire Key Expired Triggered when a key is expired.
d
Microsoft.KeyVault.SecretNew Secret New Version Triggered when a new secret or new secret
VersionCreated Created version is created.

Microsoft.KeyVault.SecretNea Secret Near Expiry Triggered when the current version of a secret
rExpiry is about to expire. (The event is triggered 30
days before the expiration date.)
Microsoft.KeyVault.SecretExpi Secret Expired Triggered when a secret is expired.
red
Microsoft.KeyVault.VaultAcces Vault Access Policy Triggered when an access policy on Key Vault
sPolicyChanged Changed changed. It includes a scenario when Key Vault
permission model is changed to/from Azure
role-based access control.

Design for Alerting events


Applications can react to these events using modern serverless architectures, without the need for
complicated code or expensive and inefficient polling services. Events are pushed through Azure
Event Grid to event handlers such as Azure Functions, Azure Logic Apps, or even to your own
Webhook, and you only pay for what you use.

In this blog, we use Logic App to notify the status change of records stored in Key vault. The design is
shown below:

Create a Logic App with Event Grid subscription

Create an Event Grid subscription through the Azure portal.

1. Go to your key vault and select the Events tab, then select “Getting


started”.
2. Then click on the “Logic Apps”

3. Then configure the Event Grid Trigger with following Settings and try
parameterizing these settings.

• Subscription: The subscription where the key vault exists

• Resource Type: Microsoft.KeyVault.vaults

• Resource Name: Select the Key Vault which needs to be monitored.


4. Click Save AS on the Logic app Designer and name the logic app and click
create. Now we have a Logic App, which would listen to the events from Azure
Key Vault.

5. Then when we navigate to the resource group, an automatic Event Grid


System Topic is created along with the Logic App. The event grid will be used
to broadcast the events from Key Vault to Logic App.

Logic App to Handle the Events from Key Vault


The Logic App gets the trigger from the Azure key vault about the status change of the records in
KeyVault. The logic App can process these events and handle the event messages based on Event
Type (using switch statement). Then parse and process the message and send a notification to the
administrator about these events.

You might also like