Check for Key Vault Full Administrator Permissions

Risk Level: High (not acceptable risk)

Rule ID: KeyVault-005

Ensure that there is no Microsoft Azure user, group or application with full administrator privileges configured to access and manage Azure Key Vaults, in order to adhere to security best practices and implement the principle of least privilege (i.e. the practice of providing every principal the minimal amount of access required to perform its tasks).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Because Azure Key Vaults are storing sensitive and business critical data, you need to take actions to maximize the security of your vaults and the data stored in them. An important measure is to grant a principal (user, group or application) access to execute only specific operations for Azure Key Vault keys, secrets or certificates. This can be extremely useful when, for example, an Azure user with administrator-level permissions (full privileges) is used by an inexperienced person to access your Key Vault data, as his actions can lead to severe security issues, data leaks and data loss.

Note: Azure Key Vault access policies apply at the vault level. When a principal is granted permission to create, update and delete keys, he can perform these operations on all the keys available in that vault.

Audit

To determine if there are any access policies with administrator-level permissions associated with your Azure Key Vaults, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to examine.

06 In the navigation panel, under Settings, select Access policies to view access the policies associated with the selected vault.

07 On the Access policies page, choose the policy that you want to examine from the Current Access Policies section, and check the permissions configured for each policy principal, listed in the Key Permissions, Secret Permissions and Certificate Permissions dropdown lists. If all the operations are selected/enabled inside the Key Permissions, Secret Permissions and Certificate Permissions dropdown lists, the principal (user, group or application) of the verified access policy has full permissions to access and manage the selected Azure Key Vault.

08 Repeat step no. 7 for each access policy associated with the selected Key Vault.

09 Repeat steps no. 5 – 8 for each Azure Key Vault available in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vault instances created in the current Azure subscription:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az keyvault list
	--query '[*].name'

02 The command output should return the requested Azure Key Vault instance names:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

[
  "cc-production-key-vault",
  "cc-data-warehouse-vault"
]

03 Run keyvault show command (Windows/macOS/Linux) using the name of the Key Vault instance that you want to examine as identifier parameter and custom query filters to describe the permissions configured for each access policy principal associated with the selected vault:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az keyvault show
	--name "cc-production-key-vault"
	--query 'properties.accessPolicies[*].{"PrincipalId":objectId, "permissions":permissions}'

04 The command output should return the permissions configured for each assigned policy principal. Each access policy is represented by a JSON object where the principal is identified by the "PrincipalId" attribute value:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

[
  {
    "PrincipalId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "permissions": {
      "certificates": [
        "Get",
        "List",
        "Update",
        "Create",
        "Import",
        "Delete",
        "Recover",
        "Backup",
        "Restore",
        "ManageContacts",
        "ManageIssuers",
        "GetIssuers",
        "ListIssuers",
        "SetIssuers",
        "DeleteIssuers",
        "Purge"
      ],
      "keys": [
        "Get",
        "List",
        "Update",
        "Create",
        "Import",
        "Delete",
        "Recover",
        "Backup",
        "Restore",
        "Decrypt",
        "Encrypt",
        "UnwrapKey",
        "WrapKey",
        "Verify",
        "Sign",
        "Purge"
      ],
      "secrets": [
        "Get",
        "List",
        "Set",
        "Delete",
        "Recover",
        "Backup",
        "Restore",
        "Purge"
      ],
      "storage": null
    }
  },
  {
    "PrincipalId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
    "permissions": {
      "certificates": [
        "List"
      ],
      "keys": [
        "List"
      ],
      "secrets": [
        "List"
      ],
      "storage": null
    }
  }
]

05 The complete list of key, secret and certificate permissions that an access policy principal can have over a Microsoft Azure Key Vault:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

"permissions": {
  "certificates": [
    "Get",
    "List",
    "Update",
    "Create",
    "Import",
    "Delete",
    "Recover",
    "Backup",
    "Restore",
    "ManageContacts",
    "ManageIssuers",
    "GetIssuers",
    "ListIssuers",
    "SetIssuers",
    "DeleteIssuers",
    "Purge"
  ],
  "keys": [
    "Get",
    "List",
    "Update",
    "Create",
    "Import",
    "Delete",
    "Recover",
    "Backup",
    "Restore",
    "Decrypt",
    "Encrypt",
    "UnwrapKey",
    "WrapKey",
    "Verify",
    "Sign",
    "Purge"
  ],
  "secrets": [
    "Get",
    "List",
    "Set",
    "Delete",
    "Recover",
    "Backup",
    "Restore",
    "Purge"
  ]
}

06 Compare the complete list of permissions that can be configured for an access policy principal described at step no. 5 with the "permissions" list returned by the keyvault show command output at step no. 4. If a policy principal (identified by "PrincipalId") is configured to use all the key, secret and certificate permissions listed at step no. 5, the user, group or application represented by the verified principal has full permissions to access and manage the selected Azure Key Vault.

07 Repeat steps no. 3 – 6 for each Microsoft Azure Key Vault available in the current subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To update your Azure Key Vaults access policy in order to remove any principal (i.e. user, group or application) that has full administrator permissions to access and manage your vaults, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to reconfigure.

06 In the navigation panel, under Settings, select Access policies to access the policies associated with the selected vault.

07 On the Access policies page, choose the policy principal that has full administrator permissions to manage the selected vault (see Audit section part I to identify the right principal), then click on the Delete button available in the Action column to remove the non-compliant principal from the vault access policy and revoke its permissions. Click Save to apply the changes.

08 If required, repeat step no. 7 for other non-compliant principals configured for the selected Key Vault.

09 Repeat steps no. 5 – 8 for each Azure Key Vault available in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault delete-policy command (Windows/macOS/Linux) using the name of the Key Vault instance that you want to reconfigure as identifier parameter to remove the access policy configured for the Azure principal that has full administrator permissions to manage the selected vault (see Audit section part II to identify the non-complaint Azure principal):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az keyvault delete-policy
	--name "cc-production-key-vault"
	--object-id "abcdabcd-1234-abcd-1234-abcd1234abcd"

02 The command output should return the metadata available for the reconfigured Key Vault:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-key-vault",
  "location": "westeurope",
  "name": "cc-production-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
        "permissions": {
          "certificates": [
            "List"
          ],
          "keys": [
            "List"
          ],
          "secrets": [
            "List"
          ],
          "storage": null
        },
        "tenantId": "abcd1234-abcd-1234-abcd-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": null,
    "enableRbacAuthorization": false,
    "enableSoftDelete": null,
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
    "vaultUri": "https://cc-production-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Repeat step no. 1 and 2 for each Azure Key Vault available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
Azure Key Vault security
Secure access to a key vault
Provide Key Vault authentication with an access control policy

Azure Command Line Interface (CLI) Documentation
az keyvault list
az keyvault show
az keyvault delete-policy

Publication date Aug 31, 2020

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related KeyVault rules