Azure_Keyvault_AuthZ_Min_Access_policies fails with minimal access policy

[arynaq]

Title

Azure_Keyvault_AuthZ_Min_Access_policies fails with minimal access policy

Description

See attached image, in the ARM template the minimal (get,list) is set as required by our app, but the check fails.

Steps to reproduce

• Set keyvault secret/keys access to get/list

Expected behavior

• Should pass

Actual behavior

• Fails

[ankrause]

I haven't had any real success with this control.

The sample ARM template for Key Vault provided in the docs repository directs the user to use a parameter to specify access policies. Using that template, and no parameters file the control evaluates as "Verify"

Reduced sample template:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "accessPolicies": {
      "type": "array",
      "defaultValue": [],
      "metadata": {
        "description": "Access policies object to define access policies"
      }
    },
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "name": "SampleKeyVault",
      "apiVersion": "2015-06-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "enableSoftDelete": true,
        "enabledForDeployment": false,
        "enabledForDiskEncryption": false,
        "enabledForTemplateDeployment": false,
        "tenantId": "[subscription().tenantId]",
        "accessPolicies": "[parameters('accessPolicies')]",
        "sku": {
          "name": "Premium",
          "family": "A"
        }
      }
    }
  ]
}

Verify: [Azure_KeyVault_AuthZ_Grant_Min_Access_policies]

Interestingly, an empty set of access policies results in a control failure:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "name": "SampleKeyVault",
      "apiVersion": "2015-06-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "enableSoftDelete": true,
        "enabledForDeployment": false,
        "enabledForDiskEncryption": false,
        "enabledForTemplateDeployment": false,
        "tenantId": "[subscription().tenantId]",
        "accessPolicies": [],
        "sku": {
          "name": "Premium",
          "family": "A"
        }
      }
    }
  ]
}

Failed: [Azure_KeyVault_AuthZ_Grant_Min_Access_policies]