Skip to content

Limit access to Key Vault data#

Security · Key Vault · Rule · 2020_06 · Important

Use the principal of least privilege when assigning access to Key Vault.

Description#

Key Vault is a service designed to securely store sensitive items such as secrets, keys and certificates. Access Policies determine the permissions user accounts, groups or applications have to Key Vaults items.

The ability for applications and administrators to get, set and list within a Key Vault is commonly required. However should only be assigned to security principals that require access. The purge permission should be rarely assigned.

Recommendation#

Consider assigning access to Key Vault data based on the principle of least privilege.

Examples#

Azure templates#

To deploy Key Vaults that pass this rule:

  • Use Azure RBAC as the authorization system instead. OR
  • Configure the access policies by setting properties.accessPolicies:
    • Avoid assigning purge and all permissions for Key Vault objects. Use specific permissions such as get and set.

For example:

Azure Template snippet
{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "family": "A",
      "name": "premium"
    },
    "tenantId": "[tenant().tenantId]",
    "softDeleteRetentionInDays": 90,
    "enableSoftDelete": true,
    "enablePurgeProtection": true,
    "accessPolicies": [
      {
        "objectId": "[parameters('objectId')]",
        "permissions": {
          "secrets": [
            "get",
            "list",
            "set"
          ]
        },
        "tenantId": "[tenant().tenantId]"
      }
    ]
  }
}

Configure with Bicep#

To deploy Key Vaults that pass this rule:

  • Use Azure RBAC as the authorization system instead. OR
  • Configure the access policies by setting properties.accessPolicies:
    • Avoid assigning purge and all permissions for Key Vault objects. Use specific permissions such as get and set.

For example:

Azure Bicep snippet
resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: tenant().tenantId
    softDeleteRetentionInDays: 90
    enableSoftDelete: true
    enablePurgeProtection: true
    accessPolicies: [
      {
        objectId: objectId
        permissions: {
          secrets: [
            'get'
            'list'
            'set'
          ]
        }
        tenantId: tenant().tenantId
      }
    ]
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/key-vault/vault:<version>

To use the latest version:

br/public:avm/res/key-vault/vault:0.9.0

Comments