bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.16k stars 1.12k forks source link

Azure Key Vault - Ensure RBAC for Azure Key Vault is enabled #6164

Open tdefise opened 7 months ago

tdefise commented 7 months ago

Describe the issue It seems that their is no checks that ensure that RBAC is used as authorization system for the Azure Key Vault data plane.

Examples

resource "azurerm_key_vault" "example" {
  name                        = "examplekeyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false
  enable_rbac_authorization = true
  sku_name = "standard"

}

Version (please complete the following information):

Additional context

Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on Azure's control and data planes, and the access policy model, which operates on the data plane alone.

Azure RBAC is built on Azure Resource Manager and provides centralized access management of Azure resources. With Azure RBAC you control access to resources by creating role assignments, which consist of three elements: a security principal, a role definition (predefined set of permissions), and a scope (group of resources or individual resource).

The access policy model is a legacy authorization system, native to Key Vault, which provides access to keys, secrets, and certificates. You can control access by assigning individual permissions to security principals (users, groups, service principals, and managed identities) at Key Vault scope.

Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. It offers several advantages over Key Vault access policies:

Azure RBAC provides a unified access control model for Azure resources — the same APIs are used across all Azure services. Access management is centralized, providing administrators with a consistent view of access granted to Azure resources. The right to grant access to keys, secrets, and certificates is better controlled, requiring Owner or User Access Administrator role membership. Azure RBAC is integrated with Privileged Identity Management, ensuring that privileged access rights are time-limited and expire automatically. Security principals' access can be excluded at given scope(s) through the use of Deny assignments.

Source: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy

itariq20 commented 7 months ago

Hi @tdefise, thank you for sharing your feedback on this issue, it does appear that Checkov does not have a Policy to check for this currently. Please feel free to create a Custom Check and share the information, you can also contribute your custom check for future consideration.