Skip to content

Use Azure role-based access control#

Security · Key Vault · Rule · 2023_06 · Awareness

Key Vaults should use Azure RBAC as the authorization system for the data plane.

Description#

Azure RBAC is the recommended authorization system for the Azure Key Vault data plane.

Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults.

Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates.

The Azure RBAC permission model is not enabled by default.

Recommendation#

Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.

Examples#

Configure with Azure template#

To deploy Key Vaults that pass this rule:

  • Set the properties.enableRbacAuthorization property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "family": "A",
      "name": "premium"
    },
    "tenantId": "[tenant().tenantId]",
    "softDeleteRetentionInDays": 90,
    "enableSoftDelete": true,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": true,
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices"
    }
  }
}

Configure with Bicep#

To deploy Key Vaults that pass this rule:

  • Set the properties.enableRbacAuthorization property to true.

For example:

Azure Bicep snippet
resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: tenant().tenantId
    softDeleteRetentionInDays: 90
    enableSoftDelete: true
    enablePurgeProtection: true
    enableRbacAuthorization: true
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/key-vault/vault:<version>

To use the latest version:

br/public:avm/res/key-vault/vault:0.9.0

Configure with Azure CLI#

Azure CLI snippet
az keyvault update -n '<name>' -g '<resource_group>' --enable-rbac-authorization

Configure with Azure PowerShell#

Azure PowerShell snippet
Update-AzKeyVault -ResourceGroupName '<resource_group>' -Name '<name>' -EnableRbacAuthorization

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Notes#

The RBAC permission model may not be suitable for all use cases. If this rule is not suitable for your use case, you can exclude or suppress the rule. For information about limitations see Azure role-based access control vs. access policies in the LINKS section.

Comments