Use Azure role-based access control

Security · Key Vault · Rule · 2023_06 · Awareness

Key Vaults should use Azure RBAC as the authorization system for the data plane.

Description

Azure RBAC is the recommended authorization system for the Azure Key Vault data plane.

Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults.

Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates.

The Azure RBAC permission model is not enabled by default.

Recommendation

Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.

Examples

Configure with Azure template

To deploy Key Vaults that pass this rule:

• Set the properties.enableRbacAuthorization property to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "family": "A",
      "name": "premium"
    },
    "tenantId": "[tenant().tenantId]",
    "softDeleteRetentionInDays": 90,
    "enableSoftDelete": true,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": true,
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices"
    }
  }
}

Configure with Bicep

To deploy Key Vaults that pass this rule:

• Set the properties.enableRbacAuthorization property to true.

For example:

Azure Bicep snippet

resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: tenant().tenantId
    softDeleteRetentionInDays: 90
    enableSoftDelete: true
    enablePurgeProtection: true
    enableRbacAuthorization: true
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

Configure with Azure CLI

Azure CLI snippet

az keyvault update -n '<name>' -g '<resource_group>' --enable-rbac-authorization

Configure with Azure PowerShell

Azure PowerShell snippet

Update-AzKeyVault -ResourceGroupName '<resource_group>' -Name '<name>' -EnableRbacAuthorization

Configure with Azure Policy

To address this issue at runtime use the following policies:

• Azure Key Vault should use RBAC permission model

Notes

The RBAC permission model may not be suitable for all use cases. If this rule is not suitable for your use case, you can exclude or suppress the rule. For information about limitations see Azure role-based access control vs. access policies in the LINKS section.

Links

• SE:05 Identity and access management
• What is Azure role-based access control?
• Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
• Azure role-based access control vs. access policies
• Migrate from vault access policy to an Azure role-based access control permission model
• Azure Key Vault security
• Azure security baseline for Key Vault
• IM-1: Use centralized identity and authentication system
• Azure deployment reference

Comments