Control: 8.6 Enable Role Based Access Control for Azure Key Vault
Description
WARNING: Role assignments disappear when a Key Vault has been deleted (soft- delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services.
The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.
Remediation
From Azure Portal
Key Vaults can be configured to use Azure role-based access control on creation. For existing Key Vaults:
- From Azure Home open the Portal Menu in the top left corner.
- Select
Key Vaults. - Open every Key Vault you wish to audit.
- Select
Access configuration. - Set the Permission model radio button to
Azure role-based access control, taking note of the warning message. - Click
Save. - Select
Access Control (IAM). - Select the
Role Assignmentstab. - Reapply permissions as needed to groups or users.
Default Value
The default value for Access control in Key Vaults is Vault Policy.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_8_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_8_6 --shareSQL
This control uses a named query:
keyvault_rbac_enabled