Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Trusted Microsoft Services for Key Vault Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that "Allow trusted Microsoft services to bypass this firewall" exception is enabled within your Azure Key Vault network firewall configuration settings in order to grant vault access to trusted Azure cloud services. The trusted Microsoft services must also be given explicit permissions within the access policies associated with the Key Vault.

Security

Enabling network firewall rules for your Key Vaults will block access to incoming requests for data, including from other Azure services. To allow certain Azure cloud services to work as intended and be able to access your vault resources, you have to add an exception so that the trusted cloud services can bypass the firewall rules. If the "Allow trusted Microsoft services to bypass this firewall" exception is enabled, cloud services such as Azure Resource Manager, Azure Virtual Machines and Azure Disk Encryption can be granted access to your Key Vault resources. To enhance access security, all these Azure cloud services are using strong authentication methods to access your vault resources.

Audit

To determine if "Allow trusted Microsoft services to bypass this firewall" exception is enabled for your Key Vaults, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vaults available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to examine.

06 In the navigation panel, under Settings, select Firewalls and virtual networks to access network security configuration page for the selected vault. If default "All networks" access is enabled, see this conformity rule to access the vault network firewall exceptions.

07 On the Firewalls and virtual networks page, check the Allow trusted Microsoft services to bypass this firewall? setting status. If the setting is set to No, other trusted Microsoft Azure cloud services are not allowed to access the resources available in the selected Key Vault.

08 Repeat steps no. 5 – 7 for each Azure Key Vault available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vaults created in the current Azure subscription: 

az keyvault list
	--query '[*].name'

02 The command output should return the requested Azure Key Vault names: 

[
  "cc-internal-app-vault",
  "cc-staging-key-vault"
]

03 Run keyvault show command (Windows/macOS/Linux) using the name of the Azure Key Vault that you want to examine as identifier parameter and custom query filters to get the "Allow trusted Microsoft services to bypass this firewall" exception status for the selected vault: 

az keyvault show
	--name "cc-internal-app-vault"
	--query 'properties.networkAcls.bypass'

04 The command output should return the requested exception configuration status: 

"None"

If the keyvault show command output returns "None", as shown in the example above, no trusted Microsoft Azure cloud services are allowed to access the resources (keys, secrets and certificates) available in the selected Azure Key Vault.

05 Repeat step no. 3 and 4 for each Key Vault instance available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure "Allow trusted Microsoft services to bypass this firewall" exception for your Azure Key Vaults, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vaults available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to reconfigure.

06 In the navigation panel, under Settings, select Firewalls and virtual networks to access network security configuration page for the selected vault.

07 On the Firewalls and virtual networks page, select Yes next to Allow trusted Microsoft services to bypass this firewall? configuration setting to enable the "Allow trusted Microsoft services to bypass this firewall" exception for the selected Key Vault. Click Save to apply the changes.

08 Now that the exception is enabled within the firewall configuration, you have to explicitly grant access to the trusted Microsoft Azure services by using the access policy associated with the selected vault. To do that, choose Access policies from the navigation panel, then select the trusted Microsoft Azure cloud service(s) that you want to access your Key Vault resources by selecting the checkbox of each required Azure service, available in the Enable Access to section. Click Save to apply the changes.

09 Repeat steps no. 5 – 8 for each Azure Key Vault available in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault update command (Windows/macOS/Linux) using the name of the Azure Key Vault that you want to reconfigure as identifier parameter to enable the "Allow trusted Microsoft services to bypass this firewall" exception for the selected Key Vault: 

az keyvault update
	--name "cc-internal-app-vault"
	--bypass AzureServices

02 The command output should return the metadata available for the reconfigured vault: 

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-internal-app-vault",
  "location": "westeurope",
  "name": "cc-internal-app-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore",
            "ManageContacts",
            "ManageIssuers",
            "GetIssuers",
            "ListIssuers",
            "SetIssuers",
            "DeleteIssuers"
          ],
          "keys": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "secrets": [
            "Get",
            "List",
            "Set",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "storage": null
        },
        "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": null,
    "enableRbacAuthorization": false,
    "enableSoftDelete": null,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": false,
    "enabledForTemplateDeployment": false,
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Deny",
      "ipRules": [],
      "virtualNetworkRules": []
    },
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-internal-app-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Now that the exception is enabled in the firewall configuration, you have to explicitly grant access to the trusted Microsoft Azure cloud services by using the access policy associated with the selected vault. As example, the following configuration enables the Azure Resource Manager service (represented by --enabled-for-template-deployment parameter) to retrieve secrets from the selected vault when the vault is referenced in a template deployment, enables the Azure Virtual Machines service (--enabled-for-deployment parameter) to retrieve keys, secrets and certificates when the selected vault is referenced during the virtual machine creation, and enables the Azure Disk Encryption service (--enabled-for-disk-encryption parameter) to retrieve secrets and unwrap encryption keys. To explicitly allow access from these trusted Microsoft Azure services, run keyvault update command (Windows/macOS/Linux) to update the access policy configured for the selected vault: 

az keyvault update
	--name "cc-internal-app-vault"
	--enabled-for-template-deployment "true"
	--enabled-for-deployment "true"
	--enabled-for-disk-encryption "true"

04 The command output should return the configuration metadata available for the reconfigured Key Vault: 

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-internal-app-vault",
  "location": "westeurope",
  "name": "cc-internal-app-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore",
            "ManageContacts",
            "ManageIssuers",
            "GetIssuers",
            "ListIssuers",
            "SetIssuers",
            "DeleteIssuers"
          ],
          "keys": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "secrets": [
            "Get",
            "List",
            "Set",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "storage": null
        },
        "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": null,
    "enableRbacAuthorization": false,
    "enableSoftDelete": null,
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Deny",
      "ipRules": [],
      "virtualNetworkRules": []
    },
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-internal-app-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

05 Repeat steps no. 1 – 4 for each Azure Key Vault available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 31, 2020

Related KeyVault rules