Merge branch 'main' of https://github.com/MicrosoftDocs/azure-security-docs-pr into wi-552241-batch-2-defender-for-containers

Author: sbreingold-ms

.openpublishing.redirection.defender-for-cloud.json

@@ -574,6 +574,11 @@
       "source_path_from_root": "/articles/defender-for-cloud/monitor-connected-aws-resources.md",
       "redirect_url": "/azure/defender-for-cloud/quickstart-onboard-aws#validate-connector-health",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/defender-for-cloud/deploy-vulnerability-assessment-vm.md",
+      "redirect_url": "/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management",
+      "redirect_document_id": false
     }
   ]
 }

articles/attestation/tpm-attestation-sample-policies.md

@@ -71,7 +71,7 @@ c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="Bitlocker
 [type=="BitlockerStatus", issuer=="AttestationPolicy"] => issue(type="BitlockerStatus", value=true);
 ![type=="BitlockerStatus", issuer=="AttestationPolicy"] => issue(type="BitlockerStatus", value=false);
 
-// Elam Driver (windows defender) Loaded
+// Elam Driver (Microsoft Defender) Loaded
 c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`")));
 [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="ELAMDriverLoaded", value=true);
 ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="ELAMDriverLoaded", value=false);

articles/cloud-hsm/authentication.md

@@ -68,14 +68,17 @@ When you use an OpenSSL engine for Azure Cloud HSM, environmental variables supp
 
 ```sh
 export azcloudhsm_password="cu1:user1234" 
-export azcloudhsm_openssl_conf=/usr/local/bin/AzureCloudHSM-ClientSDK-1.0.4.0/azcloudhsm_openssl_dynamic.conf
-export LD_LIBRARY_PATH=/usr/local/lib64/AzureCloudHSM-ClientSDK-1.0.4.0/:$LD_LIBRARY_PATH
+export azcloudhsm_openssl_conf=/opt/azurecloudhsm/bin/azcloudhsm_openssl_dynamic.conf
+export LD_LIBRARY_PATH=/opt/azurecloudhsm/lib64/:$LD_LIBRARY_PATH
 …
 sudo ./azcloudhsm_client azcloudhsm_client.cfg > /dev/null 2>&1 &
 openssl genpkey -algorithm RSA -out private_key.pem -engine azcloudhsm_openssl
 …
 ```
 
+> [!NOTE]
+> Update the paths to match your installed SDK version. The default installation path is `/opt/azurecloudhsm/`. For the latest SDK, see the [Azure Cloud HSM SDK releases](https://github.com/microsoft/MicrosoftAzureCloudHSM/releases).
+
 For authentication details with OpenSSL, consult the [guide for integrating OpenSSL with Azure Cloud HSM](https://github.com/microsoft/MicrosoftAzureCloudHSM/blob/main/IntegrationGuides/Azure%20Cloud%20HSM%20OpenSSL%20Integration%20Guide.pdf).
 
 ## Multithreading techniques

articles/cloud-hsm/faq.yml

@@ -19,7 +19,7 @@ sections:
           
           Azure Cloud HSM supports various applications, including PKCS#11, offloading of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) processing, certificate authority (CA) private key protection, and transparent data encryption (TDE). It also supports document and code signing.
           
-          Azure Cloud HSM provides high availability and redundancy by grouping multiple HSMs into a cluster and automatically synchronizing across three HSM instances. The HSM cluster supports load balancing of cryptographic operations. Periodic HSM backups help ensure secure and simple data recovery. For more information, see [What is Azure Cloud HSM?](overview.md).
+          Azure Cloud HSM provides high availability and redundancy by grouping multiple HSMs into a cluster and automatically synchronizing across three HSM nodes. The HSM cluster supports load balancing of cryptographic operations. Periodic HSM backups help ensure secure and simple data recovery. For more information, see [What is Azure Cloud HSM?](overview.md).
       - question: |-  
           What is an HSM?  
         answer: |-  

articles/cloud-hsm/key-management.md

@@ -28,6 +28,11 @@ To avoid exceeding Azure Cloud HSM service limits, consider using one or more of
 > [!NOTE]
 > Wait 24 hours after you create a key to ensure that synchronization and backups within your Azure Cloud HSM deployment are complete.
 
+> [!CAUTION]
+> If a key exists on only one node and that node fails without a backup, you can be permanently locked out of your encrypted data with no recovery option. Always verify that keys are synchronized across all nodes and maintain regular backups.
+>
+> When creating users, it is the customer's responsibility to ensure users are present on all nodes of the Azure Cloud HSM cluster. For more information, see [Ensure your HSM users are available on all nodes of your cluster](user-management.md#ensure-your-hsm-users-are-available-on-all-nodes-of-your-cluster). For steps on synchronizing missing keys, see [Synchronize users and keys across Azure Cloud HSM nodes](synchronize-users-keys.md).
+
 ## Manage key wrapping
 
 You use the `EXTRACTABLE` attribute in Azure Cloud HSM to mark keys as either extractable or nonextractable. By default, HSM keys are set as extractable. You can export extractable keys from the HSM through key wrapping, which encrypts the keys. The keys then require unwrapping via the same wrapping key before use.

articles/cloud-hsm/onboarding-guide.md

@@ -13,7 +13,7 @@ ms.author: keithp
 
 # Azure Cloud HSM onboarding guide
 
-Microsoft Azure Cloud HSM provides dedicated, FIPS 140-2 Level 3 validated hardware security modules (HSMs) for customers who require high levels of cryptographic key security. To help new users get started, Microsoft published a comprehensive onboarding guide that outlines the steps for provisioning, configuring, and using Azure Cloud HSM effectively.
+Microsoft Azure Cloud HSM provides dedicated, FIPS 140-3 Level 3 validated hardware security modules (HSMs) for customers who require high levels of cryptographic key security. To help new users get started, Microsoft published a comprehensive onboarding guide that outlines the steps for provisioning, configuring, and using Azure Cloud HSM effectively.
 
 The onboarding guide is available as a PDF. It includes detailed instructions, best practices, and prerequisites for a smooth setup process. You can access the full guide here: [Microsoft Azure Cloud HSM Onboarding Guide](https://github.com/microsoft/MicrosoftAzureCloudHSM/blob/main/OnboardingGuides/Azure%20Cloud%20HSM%20Onboarding.pdf).
 

articles/cloud-hsm/overview.md

@@ -24,15 +24,15 @@ Azure Cloud HSM supports various applications, including PKCS#11, offloading of
 
 ### Fully managed solution
 
-Many customers require administrative control of their HSM but don't want the overhead and ancillary costs that come with cluster management for high availability, patching, and maintenance. Azure Cloud HSM customers have secure, direct, end-to-end encrypted access to their HSM instances in their HSM cluster over a private, dedicated link from their virtual network.
+Many customers require administrative control of their HSM but don't want the overhead and ancillary costs that come with cluster management for high availability, patching, and maintenance. Azure Cloud HSM customers have secure, direct, end-to-end encrypted access to HSM nodes in their HSM cluster over a private, dedicated link from their virtual network.
 
 After a customer provisions an Azure Cloud HSM cluster, the customer maintains administrative access to their HSMs. The Azure Cloud HSM service takes care of high availability, patching, and maintenance.
 
 ### Customer-owned, highly available, single-tenant HSM as a service
 
-Azure Cloud HSM provides high availability and redundancy by grouping multiple HSMs into an HSM cluster. The service automatically synchronizes keys and policies across each HSM instance.
+Azure Cloud HSM provides high availability and redundancy by grouping multiple HSMs into an HSM cluster. The service automatically synchronizes keys and policies across each HSM node.
 
-Each HSM cluster consists of three HSM partitions. If an HSM resource becomes unavailable, member partitions for your HSM cluster are automatically and securely migrated to healthy nodes.
+Each HSM cluster consists of three HSM nodes. If an HSM resource becomes unavailable, member nodes for your HSM cluster are automatically and securely migrated to healthy nodes.
 
 The Azure Cloud HSM cluster supports load balancing of cryptographic operations. Periodic HSM backups help ensure secure and simple data recovery.
 

articles/cloud-hsm/secure-cloud-hsm.md

@@ -89,7 +89,7 @@ Authentication is a crucial aspect of securely accessing and operating within Az
 
 ## Business continuity and disaster recovery
 
-- **Implement robust backup and disaster recovery**: Azure Cloud HSM provides high availability through clustered HSMs that synchronize keys and policies while automatically migrating partitions during failures. The service supports comprehensive backup and restore operations that preserve all keys, attributes, and role assignments. Backups are secured by HSM-derived keys that Microsoft can't access.
+- **Implement robust backup and disaster recovery**: Azure Cloud HSM provides high availability through clustered HSMs that synchronize keys and policies while automatically migrating workloads during failures. The service supports comprehensive backup and restore operations that preserve all keys, attributes, and role assignments. Backups are secured by HSM-derived keys that Microsoft can't access.
 
   For business continuity and disaster recovery (BCDR):
 
@@ -103,6 +103,8 @@ Authentication is a crucial aspect of securely accessing and operating within Az
 
   For detailed implementation instructions and additional recovery options, see [Backup and restore in Azure Cloud HSM](backup-restore.md). Additional recovery options include using `extractMaskedObject` to extract keys as encrypted blobs, storing them securely, and importing them with `insertMaskedObject` as needed. A BCDR best practice is to deploy in two regions for failover capability.
 
+- **Verify user and key synchronization across all nodes**: Azure Cloud HSM operates as a cluster of three nodes. During service events such as self-healing or upgrades, users or keys might not be replicated to all nodes. If you experience intermittent authentication or operation failures, verify that all users and keys exist on every node. For verification and remediation steps, see [Synchronize users and keys across Azure Cloud HSM nodes](synchronize-users-keys.md).
+
 ## Related content
 
 - [Security best practices for IaaS workloads in Azure](/azure/security/fundamentals/iaas)

articles/cloud-hsm/synchronize-users-keys.md

@@ -0,0 +1,188 @@
+---
+title: Synchronize users and keys across Azure Cloud HSM nodes
+description: Learn how to identify and fix missing users or keys across Azure Cloud HSM cluster nodes.
+author: keithp
+manager: davinune
+ms.service: azure-cloud-hsm
+ms.topic: how-to
+ms.date: 03/20/2025
+ms.author: keithp
+---
+
+# Synchronize users and keys across Azure Cloud HSM nodes
+
+This article explains how to identify and resolve synchronization issues when users or keys are missing from one or more nodes in your Azure Cloud HSM cluster.
+
+## Overview
+
+In some cases, users or keys might not be replicated to all nodes in your Azure Cloud HSM cluster. This can occur during service events such as self-healing or upgrades, or if creation fails on one or more nodes. If you're experiencing intermittent authentication failures or cryptographic operation errors, you might have users or keys that need to be synchronized.
+
+> [!IMPORTANT]
+> A user or key that exists on only one node is at risk of permanent, unrecoverable loss if that node fails. If you identify missing users or keys, synchronize them immediately and ensure you have current backups.
+
+## Prerequisites
+
+- Access to a VM with the Azure Cloud HSM SDK installed
+- The `azcloudhsm_mgmt_util` tool
+- Cryptography officer (CO) credentials for your Azure Cloud HSM deployment
+
+## User synchronization
+
+All users in Azure Cloud HSM are fully managed by the customer. The service doesn't perform backend user synchronization if user creation fails. If user creation fails on one or more nodes, you must manually synchronize the user to the missing nodes.
+
+> [!IMPORTANT]
+> Ensure that all users are consistently created and present across every node in the cluster. If a user is missing or creation fails on any node, you must execute the required commands and perform validation steps to restore consistency.
+
+### Identify missing users
+
+1. Start the management utility:
+
+   ```bash
+   ./azcloudhsm_mgmt_util ./azcloudhsm_resource.cfg
+   ```
+
+1. Run the `listUsers` command to display the User ID, User Type, and Username under each node (server 0, 1, 2):
+
+   ```bash
+   listUsers
+   ```
+
+1. Observe the number of users found for each node and corresponding usernames. Compare the lists across all three servers to identify any missing users.
+
+### Synchronize missing users
+
+1. Sign in as a cryptography officer (CO):
+
+   ```bash
+   loginHSM CO admin <adminPassword>
+   ```
+
+   Verify that you successfully signed in to all three nodes:
+
+   ```output
+   loginHSM success on server 0
+   loginHSM success on server 1
+   loginHSM success on server 2
+   ```
+
+   > [!NOTE]
+   > If sign-in fails on any node, the sync operation might fail. Ensure successful sign-in to all nodes before proceeding.
+
+1. Identify the source node that has the user. In this example, server 0 has a user that's not available on server 1 and server 2:
+
+   ```bash
+   server 0
+   ```
+
+1. Run the `syncUser` command for each server where the user is missing. Replace `<UserID>` with the actual User ID:
+
+   ```bash
+   syncUser <UserID> 1
+   syncUser <UserID> 2
+   ```
+
+   > [!NOTE]
+   > If `syncUser` is executed against a node where the user already exists, the error message "user already created, unable to insert object" appears. If the user doesn't exist, the operation succeeds.
+
+### Validate user synchronization
+
+1. Exit the current server context:
+
+   ```bash
+   exit
+   ```
+
+1. Run `listUsers` to confirm that all User IDs, User Types, and Usernames are now equal and available under each node (server 0, 1, 2):
+
+   ```bash
+   listUsers
+   ```
+
+## Key synchronization
+
+When you create keys, it's your responsibility to ensure keys are present on all nodes. Although Azure Cloud HSM supports service-side key synchronization and restore operations, you must verify that keys are available on any missing nodes before use.
+
+> [!IMPORTANT]
+> If a key is missing or creation fails on any node, you must execute the appropriate commands and perform validation steps to restore consistency. A key that exists on only one node is at risk of permanent loss if that node fails.
+
+### Identify missing keys
+
+1. Start the management utility:
+
+   ```bash
+   ./azcloudhsm_mgmt_util ./azcloudhsm_resource.cfg
+   ```
+
+1. Sign in as a cryptography officer (CO):
+
+   ```bash
+   loginHSM CO admin <adminPassword>
+   ```
+
+   Verify that you successfully signed in to all three nodes:
+
+   ```output
+   loginHSM success on server 0
+   loginHSM success on server 1
+   loginHSM success on server 2
+   ```
+
+1. Run the `findAllKeys` command to display the number of keys and key handle IDs under each node:
+
+   ```bash
+   findAllKeys 0 0
+   ```
+
+1. Observe the number of keys found for each node and corresponding key handle IDs. Compare the results across all three servers to identify any missing keys.
+
+### Synchronize missing keys
+
+1. Identify the source node that has the key. In this example, server 0 has a key handle that's not available on server 1 and server 2:
+
+   ```bash
+   server 0
+   ```
+
+1. Run the `syncKey` command for each server where the key is missing. Replace `<KeyHandle>` with the actual key handle ID:
+
+   ```bash
+   syncKey <KeyHandle> 1
+   syncKey <KeyHandle> 2
+   ```
+
+   For example, to synchronize key handle 262150 to servers 1 and 2:
+
+   ```bash
+   syncKey 262150 1
+   syncKey 262150 2
+   ```
+
+### Validate key synchronization
+
+1. Exit the current server context:
+
+   ```bash
+   exit
+   ```
+
+1. Run `findAllKeys 0 0` to confirm that all key handles and the number of keys found are now equal and available under each node (server 0, 1, 2):
+
+   ```bash
+   findAllKeys 0 0
+   ```
+
+## Best practices
+
+To prevent synchronization issues and potential data loss:
+
+- **Verify after creation**: After creating any user or key, immediately verify that it exists on all three nodes.
+- **Maintain regular backups**: Use the [backup and restore](backup-restore.md) functionality to protect against node failures.
+- **Monitor for discrepancies**: Periodically run `listUsers` and `findAllKeys 0 0` to check for inconsistencies across nodes.
+- **Act quickly on failures**: If you notice a user or key creation failure, synchronize it to the missing nodes before a node failure occurs.
+
+## Related content
+
+- [Troubleshoot Azure Cloud HSM](troubleshoot.md)
+- [User management in Azure Cloud HSM](user-management.md)
+- [Key management in Azure Cloud HSM](key-management.md)
+- [Backup and restore in Azure Cloud HSM](backup-restore.md)

articles/cloud-hsm/toc.yml

@@ -25,6 +25,8 @@ items:
         href: onboarding-guide.md
       - name: Azure Cloud HSM Integration Guides
         href: integration-guides.md
+      - name: Synchronize users and keys across nodes
+        href: synchronize-users-keys.md
   - name: Security and best practices
     items:
       - name: Secure your Cloud HSM