Ensure that your Microsoft Azure key vaults are configured to allow access only to trusted Azure subscription in order to protect against unauthorized access. This approach strengthens security by minimizing the risk of unauthorized access to sensitive data stored in Azure key vaults. The list with the trusted Azure subscriptions must be defined in the conformity rule settings, in the Trend Micro Cloud One™ – Conformity account console.
It is crucial to avoid cross-subscription access to Azure Key Vault in order to maintain robust security boundaries and prevent unauthorized access to sensitive cryptographic materials. Allowing key vault resources to be accessed from different subscriptions can increase the risk of data breaches by broadening the attack surface and potentially exposing cryptographic assets to unauthorized users or services in other subscriptions.
Audit
To determine if your Azure key vaults allow unknown, untrusted cross-subscription access, perform the following operations:
Remediation / Resolution
To update the issuance policy attached to your Azure Key Vault certificates in order to increase their key size, perform the following operations:
References
- Azure Official Documentation
- Azure Key Vault security
- Azure role-based access control (Azure RBAC) vs. access policies (legacy)
- Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
- Azure Command Line Interface (CLI) Documentation
- az account list
- az keyvault list
- az role assignment list
- az role assignment delete
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Azure Key Vault Cross-Subscription Access
Risk Level: High