Ensure that there is no Microsoft Azure user, group or application with full administrator privileges configured to access and manage Azure Key Vaults, in order to adhere to security best practices and implement the principle of least privilege (i.e. the practice of providing every principal the minimal amount of access required to perform its tasks).
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Because Azure Key Vaults are storing sensitive and business critical data, you need to take actions to maximize the security of your vaults and the data stored in them. An important measure is to grant a principal (user, group or application) access to execute only specific operations for Azure Key Vault keys, secrets or certificates. This can be extremely useful when, for example, an Azure user with administrator-level permissions (full privileges) is used by an inexperienced person to access your Key Vault data, as his actions can lead to severe security issues, data leaks and data loss.
Note: Azure Key Vault access policies apply at the vault level. When a principal is granted permission to create, update and delete keys, he can perform these operations on all the keys available in that vault.
To determine if there are any access policies with administrator-level permissions associated with your Azure Key Vaults, perform the following actions:
Remediation / Resolution
To update your Azure Key Vaults access policy in order to remove any principal (i.e. user, group or application) that has full administrator permissions to access and manage your vaults, perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Check for Key Vault Full Administrator Permissions
Risk level: High