last sync: 2025-Feb-10 21:12:28 UTC

Azure Key Vault should use RBAC permission model

Azure BuiltIn Policy definition

Source Azure Portal
Display name Azure Key Vault should use RBAC permission model
Id 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5
Version 1.0.1
Details on versioning
Versioning Versions supported for Versioning: 2
1.0.0-preview
1.0.1
Built-in Versioning [Preview]
Category Key Vault
Microsoft Learn
Description Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.KeyVault/vaults/createMode Microsoft.KeyVault vaults properties.createMode True True
Microsoft.KeyVault/vaults/enableRbacAuthorization Microsoft.KeyVault vaults properties.enableRbacAuthorization True True
Rule resource types IF (1)
Microsoft.KeyVault/vaults
Compliance
The following 37 compliance controls are associated with this Policy definition 'Azure Key Vault should use RBAC permission model' (12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Canada_Federal_PBMM_3-1-2020 IA_5(3) Canada_Federal_PBMM_3-1-2020_IA_5(3) Canada Federal PBMM 3-1-2020 IA 5(3) Authenticator Management Authenticator Management | In-Person or Trusted Third-Party Registration Shared The organization requires that the registration process to receive be conducted in person before an organization-defined registration authority with authorization by organization-defined personnel or roles. To enhance security and accountability within the organization's registration procedures. 25
CIS_Azure_2.0.0 8.6 CIS_Azure_2.0.0_8.6 CIS Microsoft Azure Foundations Benchmark recommendation 8.6 8 Enable Role Based Access Control for Azure Key Vault Shared Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs. WARNING: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services. The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management. link 1
CIS_Controls_v8.1 12.8 CIS_Controls_v8.1_12.8 CIS Controls v8.1 12.8 Network Infrastructure Management Establish and maintain dedicated computing resources for all administrative work Shared 1. Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. 2. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access. To ensure administrative work is on a different system on which access to data and internet is restricted. 22
CIS_Controls_v8.1 5.4 CIS_Controls_v8.1_5.4 CIS Controls v8.1 5.4 Account Management Restrict administrator privileges to dedicated administrator accounts. Shared 1. Restrict administrator privileges to dedicated administrator accounts on enterprise assets. 2. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. To restrict access to privileged accounts. 22
CMMC_L2_v1.9.0 AC.L1_3.1.2 CMMC_L2_v1.9.0_AC.L1_3.1.2 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AC.L1 3.1.2 Access Control Transaction & Function Control Shared Limit information system access to the types of transactions and functions that authorized users are permitted to execute. To restrict information system access. 3
CSA_v4.0.12 IAM_06 CSA_v4.0.12_IAM_06 CSA Cloud Controls Matrix v4.0.12 IAM 06 Identity & Access Management User Access Provisioning Shared n/a Define and implement a user access provisioning process which authorizes, records, and communicates access changes to data and assets. 24
CSA_v4.0.12 IAM_16 CSA_v4.0.12_IAM_16 CSA Cloud Controls Matrix v4.0.12 IAM 16 Identity & Access Management Authorization Mechanisms Shared n/a Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized. 46
Cyber_Essentials_v3.1 2 Cyber_Essentials_v3.1_2 Cyber Essentials v3.1 2 Cyber Essentials Secure Configuration Shared n/a Aim: ensure that computers and network devices are properly configured to reduce vulnerabilities and provide only the services required to fulfill their role. 61
Cyber_Essentials_v3.1 4 Cyber_Essentials_v3.1_4 Cyber Essentials v3.1 4 Cyber Essentials User Access Control Shared n/a Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. 74
Cyber_Essentials_v3.1 5 Cyber_Essentials_v3.1_5 Cyber Essentials v3.1 5 Cyber Essentials Malware protection Shared n/a Aim: to restrict execution of known malware and untrusted software, from causing damage or accessing data. 60
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .5 FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 Policy and Implementation - Access Control Access Control Shared Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. 97
HITRUST_CSF_v11.3 01.c HITRUST_CSF_v11.3_01.c HITRUST CSF v11.3 01.c Authorized Access to Information Systems To control privileged access to information systems and services. Shared 1. Privileged role assignments to be automatically tracked and monitored. 2. Role-based access controls to be implemented and should be capable of mapping each user to one or more roles, and each role to one or more system functions. 3. Critical security functions to be executable only after granting of explicit authorization. The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. 44
ISO_IEC_27002_2022 5.15 ISO_IEC_27002_2022_5.15 ISO IEC 27002 2022 5.15 Protection, Preventive Control Access control Shared Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. To ensure authorized access and to prevent unauthorized access to information and other associated assets. 4
ISO_IEC_27002_2022 5.18 ISO_IEC_27002_2022_5.18 ISO IEC 27002 2022 5.18 Protection, Preventive Control Access rights Shared Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. To ensure access to information and other associated assets is defined and authorized according to the business requirements. 20
ISO_IEC_27002_2022 8.2 ISO_IEC_27002_2022_8.2 ISO IEC 27002 2022 8.2 Protection, Preventive, Control Privileged access rights Shared The allocation and use of privileged access rights should be restricted and managed. To ensure only authorized users, software components and services are provided with privileged access rights. 29
ISO_IEC_27002_2022 8.3 ISO_IEC_27002_2022_8.3 ISO IEC 27002 2022 8.3 Protection, Preventive, Control Information access restriction Shared Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. To ensure only authorized access and to prevent unauthorized access to information and other associated assets. 4
New_Zealand_ISM 17.9.35.C.01 New_Zealand_ISM_17.9.35.C.01 New_Zealand_ISM_17.9.35.C.01 17. Cryptography 17.9.35.C.01 Cryptographic system administrator access n/a Before personnel are granted cryptographic system administrator access, agencies MUST ensure the requirements for access are met. For a full list see the control published here https://www.nzism.gcsb.govt.nz/ism-document#SubSection-16122 1
NIST_CSF_v2.0 PR.AA NIST_CSF_v2.0_PR.AA 404 not found n/a n/a 3
NIST_SP_800-171_R3_3 .8.2 NIST_SP_800-171_R3_3.8.2 404 not found n/a n/a 3
NIST_SP_800-53_R5.1.1 AC.2.1 NIST_SP_800-53_R5.1.1_AC.2.1 NIST SP 800-53 R5.1.1 AC.2.1 Access Control Account Management | Automated System Account Management Shared Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications. 2
NIST_SP_800-53_R5.1.1 AC.3.7 NIST_SP_800-53_R5.1.1_AC.3.7 NIST SP 800-53 R5.1.1 AC.3.7 Access Control Access Enforcement | Role-based Access Control Shared Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy. 2
NZISM_v3.7 16.3.6.C.01. NZISM_v3.7_16.3.6.C.01. NZISM v3.7 16.3.6.C.01. Privileged User Access 16.3.6.C.01. - To safeguard sensitive national data. Shared n/a Agencies MUST NOT allow foreign nationals, including seconded foreign nationals, to have privileged access to systems that process, store or communicate NZEO information. 2
NZISM_v3.7 16.4.32.C.02. NZISM_v3.7_16.4.32.C.02. NZISM v3.7 16.4.32.C.02. Privileged Access Management 16.4.32.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Privileged Access credentials MUST NOT be issued until approval has been formally granted. 20
NZISM_v3.7 2.3.26.C.01. NZISM_v3.7_2.3.26.C.01. NZISM v3.7 2.3.26.C.01. Using Cloud Services 2.3.26.C.01. - To enhance security measures and minimise trust assumptions in cloud environments. Shared n/a Agencies intending to adopt public cloud technologies or services SHOULD incorporate Zero Trust philosophies and concepts. 4
PCI_DSS_v4.0.1 7.2.4 PCI_DSS_v4.0.1_7.2.4 PCI DSS v4.0.1 7.2.4 Restrict Access to System Components and Cardholder Data by Business Need to Know All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months. To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate Shared n/a Examine policies and procedures to verify they define processes to review all user accounts and related access privileges, including third-party/vendor accounts, in accordance with all elements specified in this requirement. Interview responsible personnel and examine documented results of periodic reviews of user accounts to verify that all the results are in accordance with all elements specified in this requirement 40
PCI_DSS_v4.0.1 7.2.5.1 PCI_DSS_v4.0.1_7.2.5.1 PCI DSS v4.0.1 7.2.5.1 Restrict Access to System Components and Cardholder Data by Business Need to Know All access by application and system accounts and related access privileges are reviewed as follows: Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). The application/system access remains appropriate for the function being performed. Any inappropriate access is addressed. Management acknowledges that access remains appropriate Shared n/a Examine policies and procedures to verify they define processes to review all application and system accounts and related access privileges in accordance with all elements specified in this requirement. Examine the entity’s targeted risk analysis for the frequency of periodic reviews of application and system accounts and related access privileges to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1. Interview responsible personnel and examine documented results of periodic reviews of system and application accounts and related privileges to verify that the reviews occur in accordance with all elements specified in this requirement 39
Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes Oxley Act 2022 1 PUBLIC LAW Sarbanes Oxley Act 2022 (SOX) Shared n/a n/a 92
SOC_2023 CC6.2 SOC_2023_CC6.2 SOC 2023 CC6.2 Logical and Physical Access Controls To ensure effective access control and ensuring the security of the organization's systems and data. Shared n/a 1. Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. 2. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. 50
SOC_2023 CC6.3 SOC_2023_CC6.3 404 not found n/a n/a 56
SWIFT_CSCF_2024 1.2 SWIFT_CSCF_2024_1.2 SWIFT Customer Security Controls Framework 2024 1.2 Privileged Account Control Operating System Privileged Account Control Shared Tightly protecting administrator-level accounts within the operating system reduces the opportunity for an attacker to use the privileges of the account as part of an attack (for example, executing commands or deleting evidence). To restrict and control the allocation and usage of administrator-level operating system accounts. 53
SWIFT_CSCF_2024 11.2 SWIFT_CSCF_2024_11.2 404 not found n/a n/a 26
SWIFT_CSCF_2024 5.1 SWIFT_CSCF_2024_5.1 SWIFT Customer Security Controls Framework 2024 5.1 Access Control Logical Access Control Shared 1. Applying the security principles of (1) need-to-know, (2) least privilege, and (3) separation of duties is essential to restricting access to the user’s Swift infrastructure. 2. Effective management of operator accounts reduces the opportunities for a malicious person to use these accounts as part of an attack. To enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. 26
UK_NCSC_CAF_v3.2 B4.b UK_NCSC_CAF_v3.2_B4.b NCSC Cyber Assurance Framework (CAF) v3.2 B4.b System Security Secure Configuration Shared 1. Identify, document and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function. 2. All platforms conform to secure, defined baseline build, or the latest known good configuration version for that environment. 3. Closely and effectively manage changes in the environment, ensuring that network and system configurations are secure and documented. 4. Regularly review and validate that your network and information systems have the expected, secure settings and configuration. 5. Only permitted software can be installed and standard users cannot change settings that would impact security or the business operation. 6. If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated. Securely configure the network and information systems that support the operation of essential functions. 37
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cyber Essentials v3.1 b2f588d7-1ed5-47c7-977d-b93dff520c4c Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
Enforce recommended guardrails for Azure Key Vault Enforce-Guardrails-KeyVault Key Vault GA ALZ
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
NCSC Cyber Assurance Framework (CAF) v3.2 6d220abf-cf6f-4b17-8f7e-0644c4cc84b4 Regulatory Compliance GA BuiltIn unknown
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST CSF v2.0 184a0e05-7b06-4a68-bbbe-13b8353bc613 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
Sarbanes Oxley Act 2022 5757cf73-35d1-46d4-8c78-17b7ddd6076a Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-02-13 19:27:15 change Patch, old suffix: preview (1.0.0-preview > 1.0.1)
2023-01-27 18:40:07 add 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC