🛡️ Azure Key Vault Role Based Access Control is not enabled🟢

• Contextual name: 🛡️ Role Based Access Control is not enabled🟢
• ID: /ce/ca/azure/key-vault/role-based-access-control
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Key Vault
  • 🔌 Azure Key Vault - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Internal: dec-x-c8041456

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-c8041456	1

Description

Open File

Description

The recommended way to access Key Vaults is to use the Azure Role-Based Access Control (RBAC) permissions model.

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It allows users to manage key, secret, and certificate permissions. This provides one place to manage permissions across all Key Vaults.

Rationale

The RBAC permissions model for Key Vaults enables much finer-grained access control for secrets, keys, certificates, and more than the vault access policy. This permits the use of privileged identity management over these roles, securing Key Vaults with JIT access management.

Impact

Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way Key Vaults are accessed and managed. Changing permissions can result in service disruption while permissions are re-applied. To minimize downtime, map current groups and users to their corresponding permission needs.

Audit

... see more

Remediation

Open File

Remediation

From Azure Portal

Key Vaults can be configured to use Azure role-based access control at creation.

For existing Key Vaults:

1. In the Azure portal, open the portal menu in the upper-left corner.
2. Select Key Vaults.
3. Select a Key Vault to configure.
4. Select Access configuration.
5. Set the permission model radio button to Azure role-based access control, taking note of the warning message.
6. Click Save.
7. Select Access Control (IAM).
8. Select the Role Assignments tab.
9. Reapply permissions as needed for groups or users.

From Azure CLI

To enable RBAC Authorization for each Key Vault, run the following Azure CLI command:

az keyvault update \
    --resource-group {{resource-group-name}} \
    --name {{key-vault-name}} \
    --enable-rbac-authorization true

From PowerShell

To enable RBAC authorization on each Key Vault, run the following PowerShell command:

Update-AzKeyVault `
    -ResourceGroupName {{resource-group-name}} `
    -VaultName {{key-vault-name}} `
    -EnableRbacAuthorization $True

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 1 Identity and access management controls would ideally ensure access to information assets is only granted where a valid business need exists, and only for as long as access is required. Access is typically granted to users, special purpose system accounts, and information assets such as services and other software.		3	3		no data
💼 APRA CPG 234 → 💼 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.		8	8		no data
💼 APRA CPG 234 → 💼 36c deployment and environment management —development, test and production environments are appropriately segregated and enforce segregation of duties;		2	2		no data
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		35	37		no data
💼 APRA CPG 234 → 💼 47c segregation of duty controls which prevent personnel from deploying their own software changes to production;		5	5		no data
💼 APRA CPG 234 → 💼 b. access to, and configuration of, information assets is restricted to the minimum required to achieve business objectives. This is typically referred to as the principle of ‘least privilege’ and aims to reduce the number of attack vectors that can be used to compromise information security;		3	3		no data
💼 APRA CPG 234 → 💼 h. segregation of duties is enforced through appropriate allocation of roles and responsibilities. This reduces the potential for the actions of a single individual to compromise information security;		3	3		no data
💼 CIS Azure v5.0.0 → 💼 8.3.6 Ensure that Role Based Access Control for Azure Key Vault is enabled (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			75		no data