Skip to main content

lacework-global-639

Enable Role Based Access Control for Azure Key Vault (Automated)

note

This rule has been changed to automated, see Automated Policies for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 2

Description

The recommended way to access Key Vaults is to use the Azure Role-Based Access Control (RBAC) permissions model.

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It allows users to manage Key, Secret, and Certificate permissions. It provides one place to manage all permissions across all key vaults.

Rationale

The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.

Impact

Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs.

Audit

From Azure Portal

  1. From Azure Home open the Portal Menu in the top left corner.
  2. Select Key Vaults
  3. View the Key Vaults within your subscription.
  4. Open every Key Vault you wish to audit.
  5. Select Access Policies
  6. The Permission Model radio button should be set to Azure role-based control.

Remediation

From Azure Portal

You can configure Key Vaults to use Azure role-based access control on creation.

For existing Key Vaults:

  1. From Azure Home open the Portal Menu in the top left corner.
  2. Select Key Vaults.
  3. Select a Key Vault to audit.
  4. Select Access configuration.
  5. Set the Permission model radio button to Azure role-based access control, taking note of the warning message.
  6. Click Apply.
  7. Select Access Control (Identity and Access Management (IAM)).
  8. Select the Role Assignments tab.
  9. Reapply permissions as needed to groups or users.

References

https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-migration#vault-access-policy-to-azure-rbac-migration-steps
https://docs.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal?tabs=current
https://docs.microsoft.com/en-gb/azure/role-based-access-control/overview
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository