feat: Key Vault RBAC recommendation

azure-resources/KeyVault/vaults/kql/c41fd2c7-fd5e-46e8-97cb-5d0c6954500e.kql

@@ -0,0 +1,8 @@
+// Azure Resource Graph Query
+// Provides a list of Azure Key Vault resources that do not use RBAC for Data Plane
+
+resources
+| where type == "microsoft.keyvault/vaults"
+| where isnull(properties.enableRbacAuthorization) or properties.enableRbacAuthorization != true
+| extend param1 = 'Role-based access control: Not Configured'
+| project recommendationId = "c41fd2c7-fd5e-46e8-97cb-5d0c6954500e", name, id, tags, param1

azure-resources/KeyVault/vaults/recommendations.yaml

@@ -82,3 +82,20 @@
   learnMoreLink:
     - name: Azure Key Vault logging overview
       url: "https://learn.microsoft.com/azure/key-vault/general/logging?tabs=Vault"
+
+- description: 'Integrate Azure Key Vault RBAC for Data Plane with Azure RBAC, replacing the legacy access model.'
+  aprlGuid: c41fd2c7-fd5e-46e8-97cb-5d0c6954500e
+  recommendationTypeId: null
+  recommendationControl: Other Best Practices
+  recommendationImpact: High
+  recommendationResourceType: Microsoft.KeyVault/vaults
+  recommendationMetadataState: Active
+  longDescription: |
+    Azure Key Vault for Data plane offers Unified Access Control, Centralized Access Management, Improved Security, Integration with Privileged Identity management and specific Deny Assignments.
+  potentialBenefits: Improved RBAC controls
+  pgVerified: true
+  automationAvailable: false
+  tags: null
+  learnMoreLink:
+    - name: Provide Key Vault access with an Azure role-based access control
+      url: "https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli"