Ensure that there is no Microsoft Azure user, group or application with full administrator privileges configured to access and manage Azure Key Vaults, in order to adhere to security best practices and implement the principle of least privilege (i.e. the practice of providing every principal the minimal amount of access required to perform its tasks).
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Because Azure Key Vaults are storing sensitive and business critical data, you need to take actions to maximize the security of your vaults and the data stored in them. An important measure is to grant a principal (user, group or application) access to execute only specific operations for Azure Key Vault keys, secrets or certificates. This can be extremely useful when, for example, an Azure user with administrator-level permissions (full privileges) is used by an inexperienced person to access your Key Vault data, as his actions can lead to severe security issues, data leaks and data loss.
Note: Azure Key Vault access policies apply at the vault level. When a principal is granted permission to create, update and delete keys, he can perform these operations on all the keys available in that vault.
Audit
To determine if there are any access policies with administrator-level permissions associated with your Azure Key Vaults, perform the following actions:
Remediation / Resolution
To update your Azure Key Vaults access policy in order to remove any principal (i.e. user, group or application) that has full administrator permissions to access and manage your vaults, perform the following actions:
References
- Azure Official Documentation
- Azure Key Vault security
- Secure access to a key vault
- Provide Key Vault authentication with an access control policy
- Azure Command Line Interface (CLI) Documentation
- az keyvault list
- az keyvault show
- az keyvault delete-policy
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check for Key Vault Full Administrator Permissions
Risk Level: High