Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Azure Key Vault Cross-Subscription Access

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Microsoft Azure key vaults are configured to allow access only to trusted Azure subscription in order to protect against unauthorized access. This approach strengthens security by minimizing the risk of unauthorized access to sensitive data stored in Azure key vaults. The list with the trusted Azure subscriptions must be defined in the conformity rule settings, in the Trend Micro Cloud One™ – Conformity account console.

Security

It is crucial to avoid cross-subscription access to Azure Key Vault in order to maintain robust security boundaries and prevent unauthorized access to sensitive cryptographic materials. Allowing key vault resources to be accessed from different subscriptions can increase the risk of data breaches by broadening the attack surface and potentially exposing cryptographic assets to unauthorized users or services in other subscriptions.


Audit

To determine if your Azure key vaults allow unknown, untrusted cross-subscription access, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Azure key vaults available in the selected subscription.

05 Click on the name (link) of the Azure key vault that you want to examine.

06 In the navigation panel, choose Access control (IAM).

07 Select the Role assignments tab, choose the All tab, and select This resource from the Scope : All scopes filter box, to list all role assignments for the selected key vault, showing which users, groups, or service principals have been assigned what roles at the key vault level.

08 Select the role assignment that you want to examine and identify the subscription associated with the selected identity, i.e. /subscriptions/\<subscription-id\>/resourcegroups/\<resource-group-name\>/providers/Microsoft.ManagedIdentity/\<identity-type\>/\<identity-name\>, where \<subscription-id\> is the ID of the Azure subscription that manages the selected identity. If the identity's subscription differs from the key vault subscription chosen in step 3, cross-subscription access is configured for the selected Azure key vault. Perform this step for every role assignment listed on the Access control (IAM) page.

09 Sign in to your Trend Micro Cloud One™ – Conformity account, access Azure Key Vault Cross-Subscription Access conformity rule settings, and compare the \<subscription-id\> of each associated identity against each Azure subscription ID defined in the rule configuration. If one or more subscription IDs are not included in the list of trusted Azure subscriptions available in the rule settings, the cross-subscription access configuration available for the selected Azure key vault is not compliant.

10 Repeat steps no. 5 – 9 for each Azure key vault available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the subscriptions available in your Azure account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run keyvault list command (Windows/macOS/Linux) with custom output filters to list the IDs of the key vault instances available within the current Azure subscription:

az keyvault list
  --subscription "abcdabcd-1234-abcd-1234-abcdabcdabcd"
  --query '[*].id'

04 The command output should return the requested Azure key vault IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-key-vault",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-data-warehouse-vault"
]

05 Run role assignment list command (Windows/macOS/Linux) with the name of the Azure key vault that you want to examine as the identifier parameter and custom output filters to list the principal ID of each role assignment, defined for the selected key vault:

az role assignment list
  --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-key-vault"
  --query '[*].principalId'

06 The command output should return the principal ID(s):

[
	"abcd1234-abcd-1234-abcd-1234abcd1234"
]

07 Run role assignment list command (Windows/macOS/Linux) to describe the Microsoft Azure subscription associated with the specified principal:

az role assignment list
  --assignee "abcd1234-abcd-1234-abcd-1234abcd1234"
  --query '[*].scope'

08 The command output should return the ID of associated subscription, i.e. /subscriptions/\<subscription-id\>, where \<subscription-id\> is the ID of the Azure subscription that manages the selected principal. If the principal's subscription differs from the key vault subscription selected in step 3, cross-subscription access is configured for the selected Azure key vault:

[
	"/subscriptions/12341234-abcd-1234-abcd-123412341234"
]

09 Sign in to your Trend Micro Cloud One™ – Conformity account, access Azure Key Vault Cross-Subscription Access conformity rule settings, and compare the \<subscription-id\> of each associated principal against each Azure subscription ID defined in the rule configuration. If one or more subscription IDs are not included in the list of trusted Azure subscriptions available in the rule settings, the cross-subscription access configuration available for the selected Azure key vault is not compliant.

10 Repeat steps no. 5 – 9 for each Microsoft Azure key vault available in the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To update the issuance policy attached to your Azure Key Vault certificates in order to increase their key size, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Azure key vaults available in the selected subscription.

05 Click on the name (link) of the Azure key vault that you want to configure.

06 In the navigation panel, choose Access control (IAM).

07 Select the Role assignments tab, choose the All tab, and select This resource from the Scope : All scopes filter box, to list all role assignments for the selected key vault, showing which users, groups, or service principals have been assigned what roles at the key vault level.

08 Select the non-compliant role assignment that you want to remove and choose Delete.

09 Inside the Remove role assignments confirmation box, choose Yes to remove the selected role assignment.

10 Repeat steps no. 5 – 9 for each Azure key vault that you want to configure, available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run role assignment list command (Windows/macOS/Linux) with the name of the Azure key vault that you want to configure as the identifier parameter and custom output filters to list the full ID of each role assignment, defined for the selected key vault:

az role assignment list
  --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-key-vault"
  --query '[*].id'

02 The command output should return the role assignment ID(s):

[
	"/subscriptions/12341234-abcd-1234-abcd-123412341234/resourceGroups/cloud-shell-storage-westeurope2/providers/Microsoft.KeyVault/vaults/cc-production-key-vault/providers/Microsoft.Authorization/roleAssignments/abcdabcd-abcd-1234-abcd-abcdabcdabcd"
]

03 Run role assignment delete command (Windows/macOS/Linux) to remove the non-compliant role assignment from the associated Microsoft Azure key vault in order to protect the key vault resources from unauthorized cross-subscription access (the command does not produce an output):

az role assignment delete
  --ids "/subscriptions/12341234-abcd-1234-abcd-123412341234/resourceGroups/cloud-shell-storage-westeurope2/providers/Microsoft.KeyVault/vaults/cc-production-key-vault/providers/Microsoft.Authorization/roleAssignments/abcdabcd-abcd-1234-abcd-abcdabcdabcd"

04 Repeat steps no. 1 – 3 for each Microsoft Azure key vault that you want to configure, available in the selected subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 26, 2024

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Azure Key Vault Cross-Subscription Access

Risk Level: High