Use Azure role-based access control#
Security · Key Vault · Rule · 2023_06 · Awareness
Key Vaults should use Azure RBAC as the authorization system for the data plane.
Description#
Azure RBAC is the recommended authorization system for the Azure Key Vault data plane.
Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults.
Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates.
The Azure RBAC permission model is not enabled by default.
Recommendation#
Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.
Examples#
Configure with Azure template#
To deploy Key Vaults that pass this rule:
- Set the
properties.enableRbacAuthorizationproperty totrue.
For example:
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-07-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "premium"
},
"tenantId": "[tenant().tenantId]",
"softDeleteRetentionInDays": 90,
"enableSoftDelete": true,
"enablePurgeProtection": true,
"enableRbacAuthorization": true,
"networkAcls": {
"defaultAction": "Deny",
"bypass": "AzureServices"
}
}
}
Configure with Bicep#
To deploy Key Vaults that pass this rule:
- Set the
properties.enableRbacAuthorizationproperty totrue.
For example:
resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: name
location: location
properties: {
sku: {
family: 'A'
name: 'premium'
}
tenantId: tenant().tenantId
softDeleteRetentionInDays: 90
enableSoftDelete: true
enablePurgeProtection: true
enableRbacAuthorization: true
networkAcls: {
defaultAction: 'Deny'
bypass: 'AzureServices'
}
}
}
Configure with Azure Verified Modules
A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:
To use the latest version:
Configure with Azure CLI#
Configure with Azure PowerShell#
Update-AzKeyVault -ResourceGroupName '<resource_group>' -Name '<name>' -EnableRbacAuthorization
Configure with Azure Policy#
To address this issue at runtime use the following policies:
- Azure Key Vault should use RBAC permission model
/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5.
Notes#
The RBAC permission model may not be suitable for all use cases.
If this rule is not suitable for your use case, you can exclude or suppress the rule.
For information about limitations see Azure role-based access control vs. access policies in the LINKS section.
Links#
- SE:05 Identity and access management
- IM-1: Use centralized identity and authentication system
- What is Azure role-based access control?
- Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
- Azure role-based access control vs. access policies
- Migrate from vault access policy to an Azure role-based access control permission model
- Azure Key Vault security
- Azure security baseline for Key Vault
- Azure deployment reference