Ensure that your Microsoft Azure virtual machines (VMs) have system-assigned managed identities enabled in order to allow secure virtual machine access to Azure resources such as key vaults and storage accounts.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
A system-assigned managed identity enables Azure VMs to authenticate to other cloud services without storing credentials in code. Once enabled, all the necessary permissions can be granted via the Azure Role-Based Access Control (RBAC) access management system. With system-assigned managed identities you don't have to secure and manage access credentials anymore as these are handled automatically behind the scenes.
Note: The lifecycle of the managed identity is tied to the lifecycle of the associated VM and each virtual machine can have only one system-assigned managed identity.
Audit
To determine if your Azure virtual machines are configured to use system-assigned managed identities, perform the following actions:
Remediation / Resolution
To enable system-assigned managed identities for your Microsoft Azure virtual machines, perform the following actions:
References
- Azure Official Documentation
- What are managed identities for Azure resources?
- Configure managed identities for Azure resources on a VM using the Azure portal
- Configure managed identities for Azure resources on an Azure VM using Azure CLI
- Azure PowerShell Documentation
- az vm list
- az vm show
- az vm identity assign