From d8a965743fb89d04968f31dd0ac2689d6243430d Mon Sep 17 00:00:00 2001 From: Ed Knox Date: Wed, 23 Oct 2024 11:00:52 -0400 Subject: [PATCH 1/3] New Key Vault recommendation for using RBAC --- .../c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql | 8 ++++++++ .../KeyVault/vaults/recommendations.yaml | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 azure-resources/KeyVault/vaults/kql/c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql diff --git a/azure-resources/KeyVault/vaults/kql/c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql b/azure-resources/KeyVault/vaults/kql/c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql new file mode 100644 index 000000000..ca1af7add --- /dev/null +++ b/azure-resources/KeyVault/vaults/kql/c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql @@ -0,0 +1,8 @@ +// Azure Resource Graph Query +// Provides a list of Azure Key Vault resources that do not use RBAC for Data Plane + +resources +| where type == "microsoft.keyvault/vaults" +| where isnull(properties.enableRbacAuthorization) or properties.enableRbacAuthorization != true +| extend param1 = 'Role-based access control: Not Configured' +| project recommendationId = "00c3d2b0-ea6e-4c4b-89be-b78a35caeb51", name, id, tags, param1 diff --git a/azure-resources/KeyVault/vaults/recommendations.yaml b/azure-resources/KeyVault/vaults/recommendations.yaml index 02fa7a0ad..540906d3f 100644 --- a/azure-resources/KeyVault/vaults/recommendations.yaml +++ b/azure-resources/KeyVault/vaults/recommendations.yaml @@ -82,3 +82,20 @@ learnMoreLink: - name: Azure Key Vault logging overview url: "https://learn.microsoft.com/azure/key-vault/general/logging?tabs=Vault" + +- description: Azure Key Vault RBAC for Data Plane: Integrates with Azure RBAC, replacing the legacy Access model + aprlGuid: c41fd2c7-fd5e-46e8-97cb-5d0c6954500e + recommendationTypeId: null + recommendationControl: Other Best Practices + recommendationImpact: High + recommendationResourceType: Microsoft.KeyVault/vaults + recommendationMetadataState: Active + longDescription: | + Azure Key Vault for Data plane offers Unified Access Control, Centralized Access Management, Improved Security, Integration with Privileged Identity management and specific Deny Assignments. + potentialBenefits: Improved RBAC controls + pgVerified: true + automationAvailable: false + tags: null + learnMoreLink: + - name: Provide Key Vault access with an Azure role-based access control + url: "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli" From dec1a5076229353fe09501e6d41d8a5854ad7d3e Mon Sep 17 00:00:00 2001 From: Ed Knox Date: Wed, 23 Oct 2024 11:08:12 -0400 Subject: [PATCH 2/3] updating query with correct recommendationId --- .../vaults/kql/c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-resources/KeyVault/vaults/kql/c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql b/azure-resources/KeyVault/vaults/kql/c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql index ca1af7add..238219d31 100644 --- a/azure-resources/KeyVault/vaults/kql/c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql +++ b/azure-resources/KeyVault/vaults/kql/c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql @@ -5,4 +5,4 @@ resources | where type == "microsoft.keyvault/vaults" | where isnull(properties.enableRbacAuthorization) or properties.enableRbacAuthorization != true | extend param1 = 'Role-based access control: Not Configured' -| project recommendationId = "00c3d2b0-ea6e-4c4b-89be-b78a35caeb51", name, id, tags, param1 +| project recommendationId = "c41fd2c7-fd5e-46e8-97cb-5d0c6954500e", name, id, tags, param1 From f8d1378443b4a02df06431f58d53ff0a60acafae Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 23 Oct 2024 12:03:10 -0500 Subject: [PATCH 3/3] Update recommendation description --- azure-resources/KeyVault/vaults/recommendations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-resources/KeyVault/vaults/recommendations.yaml b/azure-resources/KeyVault/vaults/recommendations.yaml index 540906d3f..0155950d9 100644 --- a/azure-resources/KeyVault/vaults/recommendations.yaml +++ b/azure-resources/KeyVault/vaults/recommendations.yaml @@ -83,7 +83,7 @@ - name: Azure Key Vault logging overview url: "https://learn.microsoft.com/azure/key-vault/general/logging?tabs=Vault" -- description: Azure Key Vault RBAC for Data Plane: Integrates with Azure RBAC, replacing the legacy Access model +- description: 'Integrate Azure Key Vault RBAC for Data Plane with Azure RBAC, replacing the legacy access model.' aprlGuid: c41fd2c7-fd5e-46e8-97cb-5d0c6954500e recommendationTypeId: null recommendationControl: Other Best Practices