standard
turbot/azure_cis

Pipeline: 3.3.6 Enable Role Based Access Control for Azure Key Vault

Description

The recommended way to access Key Vaults is to use the Azure Role-Based Access Control (RBAC) permissions model.

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It allows users to manage Key, Secret, and Certificate permissions. It provides one place to manage all permissions across all key vaults.

The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.

Remediation

From Azure Portal

Key Vaults can be configured to use Azure role-based access control on creation.

For existing Key Vaults:

  1. From Azure Home open the Portal Menu in the top left corner.
  2. Select Key Vaults.
  3. Select a Key Vault to audit.
  4. Select Access configuration.
  5. Set the Permission model radio button to Azure role-based access control, taking note of the warning message.
  6. Click Save.
  7. Select Access Control (IAM).
  8. Select the Role Assignments tab.
  9. Reapply permissions as needed to groups or users.

From Azure CLI

To enable RBAC Authorization for each Key Vault, run the following Azure CLI command:

az keyvault update --resource-group <resource_group> --name <vault_name> --enable-rbac-authorization true

From PowerShell

To enable RBAC authorization on each Key Vault, run the following PowerShell command:

Update-AzKeyVault -ResourceGroupName <resource_group> -VaultName <vault_name> -EnableRbacAuthorization $True

Default Value

The default value for Access control in Key Vaults is Vault Policy.

Run the pipeline

To run this pipeline from your terminal:

flowpipe pipeline run azure_cis.pipeline.cis_v300_3_3_6

Use this pipeline

To call this pipeline from your pipeline, use a step:

step "pipeline" "step_name" {
pipeline = azure_cis.pipeline.cis_v300_3_3_6
}

Params

NameTypeRequiredDescriptionDefault
database
connection.steampipe
YesDatabase connection string.connection.steampipe.default
notifier
notifier
YesThe name of the notifier to use for sending notification messages.notifier.default
notification_level
string
YesThe verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'.info
approvers
list(notifier)
YesList of notifiers to be used for obtaining action/approval decisions.notifier.default

Outputs

This pipeline has no outputs.

Tags

folder = CIS v3.0.0/3 Security/3.3 Key Vault