feat(terraform): Ensure RBAC for Azure Key Vault is enabled #6175
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tdefise
changed the title
tdefise
changed the title
bo156
reviewed
Apr 17, 2024
|
|
||
| class TestKeyVaultEnablesRBAC(unittest.TestCase): | ||
|
|
||
| def test(self): |
There was a problem hiding this comment.
Looks like this test is currently not catching everything correctly based on the last unit-tests run, please fix it and update us :)
There was a problem hiding this comment.
Hi,
Is it possible to get the logs please ?
There was a problem hiding this comment.
added 2 commits
April 17, 2024 18:27
…/checkov into feat/KeyVaultEnablesRBAC
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
Fixes #6164
New/Edited policies (Delete if not relevant)
Description
Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on Azure's control and data planes, and the access policy model, which operates on the data plane alone.
Azure RBAC is built on Azure Resource Manager and provides centralized access management of Azure resources. With Azure RBAC you control access to resources by creating role assignments, which consist of three elements: a security principal, a role definition (predefined set of permissions), and a scope (group of resources or individual resource).
The access policy model is a legacy authorization system, native to Key Vault, which provides access to keys, secrets, and certificates. You can control access by assigning individual permissions to security principals (users, groups, service principals, and managed identities) at Key Vault scope.
Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. It offers several advantages over Key Vault access policies:
Azure RBAC provides a unified access control model for Azure resources — the same APIs are used across all Azure services.
Access management is centralized, providing administrators with a consistent view of access granted to Azure resources.
The right to grant access to keys, secrets, and certificates is better controlled, requiring Owner or User Access Administrator role membership.
Azure RBAC is integrated with Privileged Identity Management, ensuring that privileged access rights are time-limited and expire automatically.
Security principals' access can be excluded at given scope(s) through the use of Deny assignments.
Source: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy
Fix
Change "enable_rbac_authorization" to "true"
Checklist: