Enable Role Based Access Control for Azure Key Vault

The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.

Suggest Edits

Risk Level: High
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.CRY.51
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

KeyVault should have enableRbacAuthorization=true

REMEDIATION

From Portal

  1. From Azure Home open the Portal Menu in the top left corner
  2. Select Key Vaults
  3. Select a Key Vault to audit.Select Access configuration.
  4. Set the Permission model radio button to Azure role-based access control, taking note of the warning message and Click Save.
  5. Select Access Control (IAM).
  6. Select the Role Assignments tab.
  7. Reapply permissions as needed to groups or users.

From TF
Set the 'enable_rbac_authorization' argument to true as below:

resource "azurerm_key_vault" "example" {
	..
	enable_rbac_authorization = true
	..
}

From Command Line
Run

az keyvault update --resource-group RESOURCEGROUP --name KEYVAULTNAME --enable-rbac-authorization true

References

  1. https://workbench.cisecurity.org/sections/1460921/recommendations/2349143
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault?ref=enmilocalfunciona.io#enable_rbac_authorization
  3. https://docs.microsoft.com/en-gb/azure/role-based-access-control/overview
  4. https://learn.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn���t see or extract your keys. Monitor and audit your key use with Azure logging���pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threa

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago