Updates to Key Vault rules docs (#2667)

Azure · Feb 1, 2024 · dc728ad · dc728ad
1 parent d3f4078
commit dc728ad
Show file tree

Hide file tree

Showing 5 changed files with 112 additions and 59 deletions.
diff --git a/docs/en/rules/Azure.KeyVault.PurgeProtect.md b/docs/en/rules/Azure.KeyVault.PurgeProtect.md
@@ -1,8 +1,8 @@
 ---
-reviewed: 2023-02-18
+reviewed: 2024-02-02
 severity: Important
 pillar: Reliability
-category: Data management
+category: RE:07 Self-preservation
 resource: Key Vault
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.KeyVault.PurgeProtect/
 ---
@@ -41,20 +41,25 @@ For example:
 
 ```json
 {
-    "type": "Microsoft.KeyVault/vaults",
-    "apiVersion": "2021-10-01",
-    "name": "[parameters('name')]",
-    "location": "[parameters('location')]",
-    "properties": {
-        "sku": {
-            "family": "A",
-            "name": "premium"
-        },
-        "tenantId": "[subscription().tenantId]",
-        "enableSoftDelete": true,
-        "softDeleteRetentionInDays": 90,
-        "enablePurgeProtection": true
+  "type": "Microsoft.KeyVault/vaults",
+  "apiVersion": "2023-07-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "sku": {
+      "family": "A",
+      "name": "premium"
+    },
+    "tenantId": "[tenant().tenantId]",
+    "softDeleteRetentionInDays": 90,
+    "enableSoftDelete": true,
+    "enablePurgeProtection": true,
+    "enableRbacAuthorization": true,
+    "networkAcls": {
+      "defaultAction": "Deny",
+      "bypass": "AzureServices"
     }
+  }
 }
 ```
 
@@ -67,18 +72,23 @@ To deploy Key Vaults that pass this rule:
 For example:
 
 ```bicep
-resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = {
+resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
   name: name
   location: location
   properties: {
     sku: {
       family: 'A'
       name: 'premium'
     }
-    tenantId: subscription().tenantId
-    enableSoftDelete: true
+    tenantId: tenant().tenantId
     softDeleteRetentionInDays: 90
+    enableSoftDelete: true
     enablePurgeProtection: true
+    enableRbacAuthorization: true
+    networkAcls: {
+      defaultAction: 'Deny'
+      bypass: 'AzureServices'
+    }
   }
 }
 ```
@@ -89,8 +99,21 @@ resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = {
 az keyvault update -n '<name>' -g '<resource_group>' --enable-purge-protection
 ```
 
+### Configure with Azure PowerShell
+
+```powershell
+Update-AzKeyVault -ResourceGroupName '<resource_group>' -Name '<name>' -EnablePurgeProtection
+```
+
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Key vaults should have deletion protection enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json)
+
 ## LINKS
 
+- [RE:07 Self-preservation](https://learn.microsoft.com/azure/well-architected/reliability/self-preservation)
 - [Azure Key Vault soft-delete overview](https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview)
-- [Azure Key Vault security](https://learn.microsoft.com/azure/key-vault/general/security-features#backup-and-recovery)
+- [Azure Key Vault security](https://learn.microsoft.com/azure/key-vault/general/security-features)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.keyvault/vaults)
diff --git a/docs/en/rules/Azure.KeyVault.RBAC.md b/docs/en/rules/Azure.KeyVault.RBAC.md
@@ -1,8 +1,8 @@
 ---
-reviewed: 2023-08-20
+reviewed: 2024-02-02
 severity: Awareness
 pillar: Security
-category: Authorization
+category: SE:05 Identity and access management
 resource: Key Vault
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.KeyVault.RBAC/
 ---
@@ -41,7 +41,7 @@ For example:
 ```json
 {
   "type": "Microsoft.KeyVault/vaults",
-  "apiVersion": "2023-02-01",
+  "apiVersion": "2023-07-01",
   "name": "[parameters('name')]",
   "location": "[parameters('location')]",
   "properties": {
@@ -71,7 +71,7 @@ To deploy Key Vaults that pass this rule:
 For example:
 
 ```bicep
-resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
+resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
   name: name
   location: location
   properties: {
@@ -104,6 +104,12 @@ az keyvault update -n '<name>' -g '<resource_group>' --enable-rbac-authorization
 Update-AzKeyVault -ResourceGroupName '<resource_group>' -Name '<name>' -EnableRbacAuthorization
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Azure Key Vault should use RBAC permission model](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVault_Should_Use_RBAC.json)
+
 ## NOTES
 
 The RBAC permission model may not be suitable for all use cases.
@@ -112,11 +118,12 @@ For information about limitations see _Azure role-based access control vs. acces
 
 ## LINKS
 
-- [Role-based authorization](https://learn.microsoft.com/azure/well-architected/security/design-identity-authorization#role-based-authorization)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)
 - [What is Azure role-based access control?](https://learn.microsoft.com/azure/role-based-access-control/overview)
 - [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](https://learn.microsoft.com/azure/key-vault/general/rbac-guide)
 - [Azure role-based access control vs. access policies](https://learn.microsoft.com/azure/key-vault/general/rbac-access-policy)
 - [Migrate from vault access policy to an Azure role-based access control permission model](https://learn.microsoft.com/azure/key-vault/general/rbac-migration)
+- [Azure Key Vault security](https://learn.microsoft.com/azure/key-vault/general/security-features)
 - [Azure security baseline for Key Vault](https://learn.microsoft.com/security/benchmark/azure/baselines/key-vault-security-baseline)
 - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/key-vault-security-baseline#im-1-use-centralized-identity-and-authentication-system)
-- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.keyvault/vaults#vaultproperties)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.keyvault/vaults)
diff --git a/docs/en/rules/Azure.KeyVault.SoftDelete.md b/docs/en/rules/Azure.KeyVault.SoftDelete.md
@@ -1,7 +1,8 @@
 ---
+reviewed: 2024-02-02
 severity: Important
 pillar: Reliability
-category: Data management
+category: RE:07 Self-preservation
 resource: Key Vault
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.KeyVault.SoftDelete/
 ---
@@ -38,20 +39,25 @@ For example:
 
 ```json
 {
-    "type": "Microsoft.KeyVault/vaults",
-    "apiVersion": "2021-10-01",
-    "name": "[parameters('name')]",
-    "location": "[parameters('location')]",
-    "properties": {
-        "sku": {
-            "family": "A",
-            "name": "premium"
-        },
-        "tenantId": "[subscription().tenantId]",
-        "enableSoftDelete": true,
-        "softDeleteRetentionInDays": 90,
-        "enablePurgeProtection": true
+  "type": "Microsoft.KeyVault/vaults",
+  "apiVersion": "2023-07-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "sku": {
+      "family": "A",
+      "name": "premium"
+    },
+    "tenantId": "[tenant().tenantId]",
+    "softDeleteRetentionInDays": 90,
+    "enableSoftDelete": true,
+    "enablePurgeProtection": true,
+    "enableRbacAuthorization": true,
+    "networkAcls": {
+      "defaultAction": "Deny",
+      "bypass": "AzureServices"
     }
+  }
 }
 ```
 
@@ -64,24 +70,43 @@ To deploy Key Vaults that pass this rule:
 For example:
 
 ```bicep
-resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = {
+resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
   name: name
   location: location
   properties: {
     sku: {
       family: 'A'
       name: 'premium'
     }
-    tenantId: subscription().tenantId
-    enableSoftDelete: true
+    tenantId: tenant().tenantId
     softDeleteRetentionInDays: 90
+    enableSoftDelete: true
     enablePurgeProtection: true
+    enableRbacAuthorization: true
+    networkAcls: {
+      defaultAction: 'Deny'
+      bypass: 'AzureServices'
+    }
   }
 }
 ```
 
+### Configure with Azure CLI
+
+```bash
+az keyvault update -n '<name>' -g '<resource_group>' --retention-days 90
+```
+
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Key vaults should have soft delete enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json)
+
 ## LINKS
 
-- [Azure Key Vault soft-delete overview](https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview)
-- [Azure Key Vault security](https://docs.microsoft.com/azure/key-vault/general/security-overview#backup-and-recovery)
-- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.keyvault/vaults)
+- [RE:07 Self-preservation](https://learn.microsoft.com/azure/well-architected/reliability/self-preservation)
+- [Azure Key Vault soft-delete overview](https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview)
+- [Soft-delete will be enabled on all key vaults](https://learn.microsoft.com/azure/key-vault/general/soft-delete-change)
+- [Azure Key Vault security](https://learn.microsoft.com/azure/key-vault/general/security-features)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.keyvault/vaults)
diff --git a/docs/examples-keyvault.bicep b/docs/examples-keyvault.bicep
@@ -16,7 +16,7 @@ param objectId string
 param workspaceId string
 
 // An example Key Vault with access policies.
-resource vaultWithAccessPolicies 'Microsoft.KeyVault/vaults@2023-02-01' = {
+resource vaultWithAccessPolicies 'Microsoft.KeyVault/vaults@2023-07-01' = {
   name: name
   location: location
   properties: {
@@ -45,7 +45,7 @@ resource vaultWithAccessPolicies 'Microsoft.KeyVault/vaults@2023-02-01' = {
 }
 
 // An example Key Vault with RBAC authorization.
-resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
+resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
   name: name
   location: location
   properties: {

diff --git a/docs/examples-keyvault.json b/docs/examples-keyvault.json
@@ -1,13 +1,11 @@
 {
   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-  "languageVersion": "1.10-experimental",
   "contentVersion": "1.0.0.0",
   "metadata": {
-    "_EXPERIMENTAL_WARNING": "Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!",
     "_generator": {
       "name": "bicep",
-      "version": "0.20.4.51522",
-      "templateHash": "1553055841733853074"
+      "version": "0.24.24.22086",
+      "templateHash": "3218451149490833125"
     }
   },
   "parameters": {
@@ -37,10 +35,10 @@
       }
     }
   },
-  "resources": {
-    "vaultWithAccessPolicies": {
+  "resources": [
+    {
       "type": "Microsoft.KeyVault/vaults",
-      "apiVersion": "2023-02-01",
+      "apiVersion": "2023-07-01",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "properties": {
@@ -67,9 +65,9 @@
         ]
       }
     },
-    "vault": {
+    {
       "type": "Microsoft.KeyVault/vaults",
-      "apiVersion": "2023-02-01",
+      "apiVersion": "2023-07-01",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "properties": {
@@ -88,7 +86,7 @@
         }
       }
     },
-    "logs": {
+    {
       "type": "Microsoft.Insights/diagnosticSettings",
       "apiVersion": "2021-05-01-preview",
       "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]",
@@ -103,8 +101,8 @@
         ]
       },
       "dependsOn": [
-        "vault"
+        "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]"
       ]
     }
-  }
+  ]
 }