last sync: 2024-Oct-07 17:51:17 UTC

Azure Key Vault should use RBAC permission model

Azure BuiltIn Policy definition

Source Azure Portal
Display name Azure Key Vault should use RBAC permission model
Id 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5
Version 1.0.1
Details on versioning
Versioning Versions supported for Versioning: 2
1.0.0-preview
1.0.1
Built-in Versioning [Preview]
Category Key Vault
Microsoft Learn
Description Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.KeyVault/vaults/createMode Microsoft.KeyVault vaults properties.createMode True True
Microsoft.KeyVault/vaults/enableRbacAuthorization Microsoft.KeyVault vaults properties.enableRbacAuthorization True True
Rule resource types IF (1)
Microsoft.KeyVault/vaults
Compliance
The following 2 compliance controls are associated with this Policy definition 'Azure Key Vault should use RBAC permission model' (12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_2.0.0 8.6 CIS_Azure_2.0.0_8.6 CIS Microsoft Azure Foundations Benchmark recommendation 8.6 8 Enable Role Based Access Control for Azure Key Vault Shared Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs. WARNING: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services. The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management. link 1
New_Zealand_ISM 17.9.35.C.01 New_Zealand_ISM_17.9.35.C.01 New_Zealand_ISM_17.9.35.C.01 17. Cryptography Key Management - Cryptographic system administrator access n/a The cryptographic system administrator is a highly privileged position which involves granting privileged access to a cryptographic system. Therefore extra precautions need to be put in place surrounding the security and vetting of the personnel as well as the access control procedures for individuals designated as cryptographic system administrators. 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
Enforce recommended guardrails for Azure Key Vault Enforce-Guardrails-KeyVault Key Vault GA ALZ
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-02-13 19:27:15 change Patch, old suffix: preview (1.0.0-preview > 1.0.1)
2023-01-27 18:40:07 add 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC