Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Role-Based Access Control (RBAC) Authorization

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KeyVault-017

Ensure that Role-Based Access Control (RBAC) authorization is enabled for your Microsoft Azure Key Vaults in order to achieve fine-grained control over Key Vault resources. In Microsoft Azure, Role-Based Access Control (RBAC) represents an efficient method of regulating access to cloud resources based on the roles of individual users or groups within an organization.

Security

Role-Based Access Control (RBAC) enables more precise access to Azure Key Vault resources (keys, secrets, and certificates) than standard access policies and enhances security through privileged identity management. With RBAC authorization, you can effectively protect your Azure Key Vaults, ensuring that only the right individuals have access when needed.

Audit

To determine the permission model used by your Microsoft Azure Key Vaults, perform the following operations:

Using Azure Portal

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

  4. From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Key Vaults available in the selected Azure subscription.

  5. Click on the name (link) of the Azure Key Vault that you want to examine.

  6. In the resource navigation panel, under Settings, select Access configuration.

  7. On the Access configuration page, check the configuration option selected for Permission model to determine the permission model used by your Key Vault. If the selected option is not Azure role-based access control (recommended), Role-Based Access Control (RBAC) authorization is not enabled for the selected Microsoft Azure Key Vault.

  8. Repeat steps no. 5 – 7 for each Key Vault provisioned in the selected Azure subscription.

  9. Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run keyvault list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Key Vault available in the selected Azure subscription:

    az keyvault list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

  5. The command output should return the requested Key Vault names:

    Name                   ResourceGroup
---------------------  ------------------------------
cc-project5-key-vault  cloud-shell-storage-westeurope
cc-production-vault    cloud-shell-storage-westeurope

  6. Run keyvault show command (Windows/macOS/Linux) with the name of the Azure Key Vault that you want to examine (and the associated resource group) as identifier parameters, to describe the configuration status of the RBAC authorization feature, available for the selected Key Vault:

    az keyvault show
	--name cc-project5-key-vault
	--resource-group cloud-shell-storage-westeurope
	--query '{enableRbacAuthorization:properties.enableRbacAuthorization}'

  7. The command output should return the requested feature status (true for enabled, false for disabled):

    {
	"enableRbacAuthorization": false
}

    If the command output returns false or null for the "enableRbacAuthorization" configuration attribute, Role-Based Access Control (RBAC) authorization is not enabled for the selected Microsoft Azure Key Vault.

  8. Repeat steps no. 6 and 7 for each Key Vault available within the selected Azure subscription.

  9. Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that Role-Based Access Control (RBAC) authorization is enabled for your Azure Key Vaults, perform the following operations:

Using Azure Portal

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

  4. From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Key Vaults available in the selected Azure subscription.

  5. Click on the name (link) of the Azure Key Vault that you want to configure.

  6. In the resource navigation panel, under Settings, select Access configuration.

  7. On the Access configuration page, select Azure role-based access control (recommended) under Permission model to enable Role-Based Access Control (RBAC) authorization for the selected Microsoft Azure Key Vault. Choose Apply to apply the configuration changes.

  8. Repeat steps no. 5 – 7 for each Key Vault that you want to configure, available in the selected subscription.

  9. Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run keyvault update command (OSX/Linux/UNIX) with the name of the Azure Key Vault that you want to configure as the identifier parameter, to enable Role-Based Access Control (RBAC) authorization for the selected Key Vault:

    az keyvault update
	--name cc-project5-key-vault
	--resource-group cloud-shell-storage-westeurope
	--enable-rbac-authorization true

  5. The command output should return the configuration information available for the modified Key Vault:

    {
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-project5-key-vault",
	"location": "westeurope",
	"name": "cc-project5-key-vault",
	"properties": {
		"accessPolicies": [
			{
				"applicationId": null,
				"objectId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
				"permissions": {
					"certificates": [
						"Get",
						"List",
						"Update",
						"Create",
						"Import",
						"Delete",
						"Recover",
						"Backup",
						"Restore",
						"ManageContacts",
						"ManageIssuers",
						"GetIssuers",
						"ListIssuers",
						"SetIssuers",
						"DeleteIssuers"
					],
					"keys": [
						"Get",
						"List",
						"Update",
						"Create",
						"Import",
						"Delete",
						"Recover",
						"Backup",
						"Restore",
						"GetRotationPolicy",
						"SetRotationPolicy",
						"Rotate"
					],
					"secrets": [
						"Get",
						"List",
						"Set",
						"Delete",
						"Recover",
						"Backup",
						"Restore"
					],
					"storage": null
				},
				"tenantId": "1234abcd-1234-abcd-1234-abcdabcdabcd"
			}
		],
		"createMode": null,
		"enablePurgeProtection": null,
		"enableRbacAuthorization": true,
		"enableSoftDelete": true,
		"enabledForDeployment": true,
		"enabledForDiskEncryption": true,
		"enabledForTemplateDeployment": true,
		"hsmPoolResourceId": null,
		"networkAcls": null,
		"privateEndpointConnections": null,
		"provisioningState": "Succeeded",
		"publicNetworkAccess": "Enabled",
		"sku": {
			"family": "A",
			"name": "Standard"
		},
		"softDeleteRetentionInDays": 90,
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"tags": {},
	"type": "Microsoft.KeyVault/vaults"
}

  6. Repeat steps no. 4 and 5 for each Key Vault that you want to configure, available within the selected Azure subscription.

  7. Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Feb 13, 2025

Related KeyVault rules