Skip to content

Limit access to Key Vault data#

Security · Key Vault · Azure.KeyVault.AccessPolicy

Use the principal of least privilege when assigning access to Key Vault.

Description#

Key Vault is a service designed to securely store sensitive items such as secrets, keys and certificates. Access Policies determine the permissions user accounts, groups or applications have to Key Vaults items.

The ability for applications and administrators to get, set and list within a Key Vault is commonly required. However should only be assigned to security principals that require access. The purge permission should be rarely assigned.

Recommendation#

Consider assigning access to Key Vault data based on the principle of least privilege.

Examples#

Azure templates#

To deploy key vaults access policies that pass this rule:

  • Avoid assigning Purge and All permissions for Key Vault objects.

For example:

{
    "comments": "Create or update a Key Vault.",
    "type": "Microsoft.KeyVault/vaults",
    "name": "[parameters('vaultName')]",
    "apiVersion": "2019-09-01",
    "location": "[parameters('location')]",
    "properties": {
        "accessPolicies": [
            {
                "objectId": "<object_id>",
                "tenantId": "<tenant_id>",
                "permissions": {
                    "secrets": [
                        "Get",
                        "List",
                        "Set"
                    ]
                }
            }
        ],
        "tenantId": "[subscription().tenantId]",
        "sku": {
            "name": "Standard",
            "family": "A"
        }
    }
}

Last update: 2021-09-24