Limit access to Key Vault data

Security · Key Vault · Rule · 2020_06 · Important

Use the principal of least privilege when assigning access to Key Vault.

Description

Key Vault is a service designed to securely store sensitive items such as secrets, keys and certificates. Access Policies determine the permissions user accounts, groups or applications have to Key Vaults items.

The ability for applications and administrators to get, set and list within a Key Vault is commonly required. However should only be assigned to security principals that require access. The purge permission should be rarely assigned.

Recommendation

Consider assigning access to Key Vault data based on the principle of least privilege.

Examples

Azure templates

To deploy Key Vaults that pass this rule:

• Use Azure RBAC as the authorization system instead. OR
• Configure the access policies by setting properties.accessPolicies:
  • Avoid assigning purge and all permissions for Key Vault objects. Use specific permissions such as get and set.

For example:

Azure Template snippet

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "family": "A",
      "name": "premium"
    },
    "tenantId": "[tenant().tenantId]",
    "softDeleteRetentionInDays": 90,
    "enableSoftDelete": true,
    "enablePurgeProtection": true,
    "accessPolicies": [
      {
        "objectId": "[parameters('objectId')]",
        "permissions": {
          "secrets": [
            "get",
            "list",
            "set"
          ]
        },
        "tenantId": "[tenant().tenantId]"
      }
    ]
  }
}

Configure with Bicep

To deploy Key Vaults that pass this rule:

• Use Azure RBAC as the authorization system instead. OR
• Configure the access policies by setting properties.accessPolicies:
  • Avoid assigning purge and all permissions for Key Vault objects. Use specific permissions such as get and set.

For example:

Azure Bicep snippet

resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: tenant().tenantId
    softDeleteRetentionInDays: 90
    enableSoftDelete: true
    enablePurgeProtection: true
    accessPolicies: [
      {
        objectId: objectId
        permissions: {
          secrets: [
            'get'
            'list'
            'set'
          ]
        }
        tenantId: tenant().tenantId
      }
    ]
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/key-vault/vault:<version>

To use the latest version:

br/public:avm/res/key-vault/vault:0.9.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Links

• SE:05 Identity and access management
• Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
• Azure role-based access control vs. access policies
• Migrate from vault access policy to an Azure role-based access control permission model
• Best practices to use Key Vault
• Azure deployment reference

Comments