Since the secrets can vary, their scope and lifetime can also vary, a new secret can be used for granular purpose if the naming convention for the secrets are maintained so it is easy to locate a secret or use the name to know identify the secret and its intended use.

Another way to use key-vault secret is to use it in conjunction with monitoring and alerting. It provides a a secure way to store keys, secrets and certificates in the cloud, so their access is equally worth monitoring – both from the perspective of whether the key-vault is functioning properly for its clients and to know if the clients are accessing it correctly. If the SLA for key-secrets is not met, then the business suffers a disruption because there are numerous usages of that secret

Monitoring is a very helpful service in many scenarios and deserves its own elaboration but in this section, the emphasis is on the usage of Key-Vault monitoring. The set of events processed by the key-vault monitors include NewVersionCreated, NearExpiry, and Expired. These events are consumed via the event grid by Logic applications, Azure functions and Azure Service Bus. Although Key-vault monitoring provides comprehensive coverage of its functionality, it does not integrate with events raised from hardware layer when key-vault supports hardware security modules. In the software plane, key-vault can integrate with almost any cloud service by virtue of REST calls, SDK and Command-line interface.

The Azure key-vault portal provides the options to setup an event grid, with the help of logic applications, then configure the event grid trigger with the subscription parameter as the one where the key-vault exists, resource type as Microsoft.KeyVault.vaults and with the resource name as the keyvault to be monitored. This can be displayed from the resource group view as an “Event grid system topic”

There are two recovery features that can be enabled with Azure Key-Vault based on expiration time event handling. These are soft-delete and purge protection. The former is like a recycle bin that can be used to reclaim accidentally deleted keys, secrets and certificates. If they need to be removed completely, then they can be purged. The latter option of purge protection increases the retention period so that the permanent delete or purge option cannot occur until the retention period expires.