Skip to main content

πŸ“ Azure Key Vault Role Based Access Control is not enabled 🟒

  • Contextual name: πŸ“ Role Based Access Control is not enabled 🟒
  • ID: /ce/ca/azure/key-vault/role-based-access-control
  • Located in: πŸ“ Azure Key Vault

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-c8041456

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-c80414561

Logic​

Description​

Open File

Description​

The recommended way to access Key Vaults is to use the Azure Role-Based Access Control (RBAC) permissions model.

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It allows users to manage Key, Secret, and Certificate permissions. It provides one place to manage all permissions across all key vaults.

Rationale​

The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.

Impact​

Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

Key Vaults can be configured to use Azure role-based access control on creation.

For existing Key Vaults:

  1. From Azure Home open the Portal Menu in the top left corner.
  2. Select Key Vaults.
  3. Select a Key Vault to audit.
  4. Select Access configuration.
  5. Set the Permission model radio button to Azure role-based access control, taking note of the warning message.
  6. Click Save.
  7. Select Access Control (IAM).
  8. Select the Role Assignments tab.
  9. Reapply permissions as needed to groups or users.

From Azure CLI​

To enable RBAC Authorization for each Key Vault, run the following Azure CLI command:

az keyvault update --resource-group <RESOURCE GROUP NAME> --name <KEY VAULT NAME> --enable-rbac-authorization true

From PowerShell​

To enable RBAC authorization on each Key Vault, run the following PowerShell command:

Update-AzKeyVault -ResourceGroupName <RESOURCE GROUP NAME> -VaultName <KEY VAULT NAME> -EnableRbacAuthorization $True

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 1 Identity and access management controls would ideally ensure access to information assets is only granted where a valid business need exists, and only for as long as access is required. Access is typically granted to users, special purpose system accounts, and information assets such as services and other software.33
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.88
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36c deployment and environment management β€”development, test and production environments are appropriately segregated and enforce segregation of duties;22
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3436
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 47c segregation of duty controls which prevent personnel from deploying their own software changes to production;55
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό b. access to, and configuration of, information assets is restricted to the minimum required to achieve business objectives. This is typically referred to as the principle of β€˜least privilege’ and aims to reduce the number of attack vectors that can be used to compromise information security;33
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό h. segregation of duties is enforced through appropriate allocation of roles and responsibilities. This reduces the potential for the actions of a single individual to compromise information security;33
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 8.6 Enable Role Based Access Control for Azure Key Vault - Level 2 (Manual)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.3.6 Enable Role Based Access Control for Azure Key Vault (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43