Risk Level: High
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.CRY.51
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

KeyVault should have enableRbacAuthorization=true

REMEDIATION

From Portal

From Azure Home open the Portal Menu in the top left corner
Select Key Vaults
Select a Key Vault to audit. Select Access configuration.
Set the Permission model radio button to Azure role-based access control, taking note of the warning message and Click Save.
Select Access Control (IAM).
Select the Role Assignments tab.
Reapply permissions as needed to groups or users.

From TF
Set the 'enable_rbac_authorization' argument to true as below:

resource "azurerm_key_vault" "example" {
	..
	enable_rbac_authorization = true
	..
}

From Command Line
Run

az keyvault update --resource-group RESOURCEGROUP --name KEYVAULTNAME --enable-rbac-authorization true

References

https://workbench.cisecurity.org/sections/1460921/recommendations/2349143
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault?ref=enmilocalfunciona.io#enable_rbac_authorization
https://docs.microsoft.com/en-gb/azure/role-based-access-control/overview
https://learn.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn’t see or extract your keys. Monitor and audit your key use with Azure logging—pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threat detection.

Compliance Frameworks

AZU PCI-DSS 4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CloudGuard Best Practices
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset