Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Role-Based Access Control (RBAC) Authorization

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KeyVault-017

Ensure that Role-Based Access Control (RBAC) authorization is enabled for your Microsoft Azure Key Vaults in order to achieve fine-grained control over Key Vault resources. In Microsoft Azure, Role-Based Access Control (RBAC) represents an efficient method of regulating access to cloud resources based on the roles of individual users or groups within an organization.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Role-Based Access Control (RBAC) enables more precise access to Azure Key Vault resources (keys, secrets, and certificates) than standard access policies and enhances security through privileged identity management. With RBAC authorization, you can effectively protect your Azure Key Vaults, ensuring that only the right individuals have access when needed.

Audit

To determine the permission model used by your Microsoft Azure Key Vaults, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Key Vaults available in the selected Azure subscription.

05 Click on the name (link) of the Azure Key Vault that you want to examine.

06 In the resource navigation panel, under Settings, select Access configuration.

07 On the Access configuration page, check the configuration option selected for Permission model to determine the permission model used by your Key Vault. If the selected option is not Azure role-based access control (recommended), Role-Based Access Control (RBAC) authorization is not enabled for the selected Microsoft Azure Key Vault.

08 Repeat steps no. 5 – 7 for each Key Vault provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run keyvault list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Key Vault available in the selected Azure subscription: 

az keyvault list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Key Vault names: 

Name                   ResourceGroup
---------------------  ------------------------------
cc-project5-key-vault  cloud-shell-storage-westeurope
cc-production-vault    cloud-shell-storage-westeurope

06 Run keyvault show command (Windows/macOS/Linux) with the name of the Azure Key Vault that you want to examine (and the associated resource group) as identifier parameters, to describe the configuration status of the RBAC authorization feature, available for the selected Key Vault: 

az keyvault show
	--name cc-project5-key-vault
	--resource-group cloud-shell-storage-westeurope
	--query '{enableRbacAuthorization:properties.enableRbacAuthorization}'

07 The command output should return the requested feature status (true for enabled, false for disabled): 

{
	"enableRbacAuthorization": false
}

If the command output returns false or null for the "enableRbacAuthorization" configuration attribute, Role-Based Access Control (RBAC) authorization is not enabled for the selected Microsoft Azure Key Vault.

08 Repeat steps no. 6 and 7 for each Key Vault available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that Role-Based Access Control (RBAC) authorization is enabled for your Azure Key Vaults, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Key Vaults available in the selected Azure subscription.

05 Click on the name (link) of the Azure Key Vault that you want to configure.

06 In the resource navigation panel, under Settings, select Access configuration.

07 On the Access configuration page, select Azure role-based access control (recommended) under Permission model to enable Role-Based Access Control (RBAC) authorization for the selected Microsoft Azure Key Vault. Choose Apply to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each Key Vault that you want to configure, available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run keyvault update command (OSX/Linux/UNIX) with the name of the Azure Key Vault that you want to configure as the identifier parameter, to enable Role-Based Access Control (RBAC) authorization for the selected Key Vault: 

az keyvault update
	--name cc-project5-key-vault
	--resource-group cloud-shell-storage-westeurope
	--enable-rbac-authorization true

05 The command output should return the configuration information available for the modified Key Vault: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-project5-key-vault",
	"location": "westeurope",
	"name": "cc-project5-key-vault",
	"properties": {
		"accessPolicies": [
			{
				"applicationId": null,
				"objectId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
				"permissions": {
					"certificates": [
						"Get",
						"List",
						"Update",
						"Create",
						"Import",
						"Delete",
						"Recover",
						"Backup",
						"Restore",
						"ManageContacts",
						"ManageIssuers",
						"GetIssuers",
						"ListIssuers",
						"SetIssuers",
						"DeleteIssuers"
					],
					"keys": [
						"Get",
						"List",
						"Update",
						"Create",
						"Import",
						"Delete",
						"Recover",
						"Backup",
						"Restore",
						"GetRotationPolicy",
						"SetRotationPolicy",
						"Rotate"
					],
					"secrets": [
						"Get",
						"List",
						"Set",
						"Delete",
						"Recover",
						"Backup",
						"Restore"
					],
					"storage": null
				},
				"tenantId": "1234abcd-1234-abcd-1234-abcdabcdabcd"
			}
		],
		"createMode": null,
		"enablePurgeProtection": null,
		"enableRbacAuthorization": true,
		"enableSoftDelete": true,
		"enabledForDeployment": true,
		"enabledForDiskEncryption": true,
		"enabledForTemplateDeployment": true,
		"hsmPoolResourceId": null,
		"networkAcls": null,
		"privateEndpointConnections": null,
		"provisioningState": "Succeeded",
		"publicNetworkAccess": "Enabled",
		"sku": {
			"family": "A",
			"name": "Standard"
		},
		"softDeleteRetentionInDays": 90,
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"tags": {},
	"type": "Microsoft.KeyVault/vaults"
}

06 Repeat steps no. 4 and 5 for each Key Vault that you want to configure, available within the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Feb 13, 2025

Related KeyVault rules