From dc728ad1b5a3debceca56c22c5c4fe2743eeccfd Mon Sep 17 00:00:00 2001 From: Bernie White Date: Fri, 2 Feb 2024 08:58:54 +1000 Subject: [PATCH] Updates to Key Vault rules docs (#2667) --- docs/en/rules/Azure.KeyVault.PurgeProtect.md | 61 ++++++++++++------ docs/en/rules/Azure.KeyVault.RBAC.md | 19 ++++-- docs/en/rules/Azure.KeyVault.SoftDelete.md | 65 ++++++++++++++------ docs/examples-keyvault.bicep | 4 +- docs/examples-keyvault.json | 22 +++---- 5 files changed, 112 insertions(+), 59 deletions(-) diff --git a/docs/en/rules/Azure.KeyVault.PurgeProtect.md b/docs/en/rules/Azure.KeyVault.PurgeProtect.md index 2733eec7c85..a8306c4eb67 100644 --- a/docs/en/rules/Azure.KeyVault.PurgeProtect.md +++ b/docs/en/rules/Azure.KeyVault.PurgeProtect.md @@ -1,8 +1,8 @@ --- -reviewed: 2023-02-18 +reviewed: 2024-02-02 severity: Important pillar: Reliability -category: Data management +category: RE:07 Self-preservation resource: Key Vault online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.KeyVault.PurgeProtect/ --- @@ -41,20 +41,25 @@ For example: ```json { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "properties": { - "sku": { - "family": "A", - "name": "premium" - }, - "tenantId": "[subscription().tenantId]", - "enableSoftDelete": true, - "softDeleteRetentionInDays": 90, - "enablePurgeProtection": true + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2023-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "family": "A", + "name": "premium" + }, + "tenantId": "[tenant().tenantId]", + "softDeleteRetentionInDays": 90, + "enableSoftDelete": true, + "enablePurgeProtection": true, + "enableRbacAuthorization": true, + "networkAcls": { + "defaultAction": "Deny", + "bypass": "AzureServices" } + } } ``` @@ -67,7 +72,7 @@ To deploy Key Vaults that pass this rule: For example: ```bicep -resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = { +resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = { name: name location: location properties: { @@ -75,10 +80,15 @@ resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = { family: 'A' name: 'premium' } - tenantId: subscription().tenantId - enableSoftDelete: true + tenantId: tenant().tenantId softDeleteRetentionInDays: 90 + enableSoftDelete: true enablePurgeProtection: true + enableRbacAuthorization: true + networkAcls: { + defaultAction: 'Deny' + bypass: 'AzureServices' + } } } ``` @@ -89,8 +99,21 @@ resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = { az keyvault update -n '' -g '' --enable-purge-protection ``` +### Configure with Azure PowerShell + +```powershell +Update-AzKeyVault -ResourceGroupName '' -Name '' -EnablePurgeProtection +``` + +### Configure with Azure Policy + +To address this issue at runtime use the following policies: + +- [Key vaults should have deletion protection enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) + ## LINKS +- [RE:07 Self-preservation](https://learn.microsoft.com/azure/well-architected/reliability/self-preservation) - [Azure Key Vault soft-delete overview](https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview) -- [Azure Key Vault security](https://learn.microsoft.com/azure/key-vault/general/security-features#backup-and-recovery) +- [Azure Key Vault security](https://learn.microsoft.com/azure/key-vault/general/security-features) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.keyvault/vaults) diff --git a/docs/en/rules/Azure.KeyVault.RBAC.md b/docs/en/rules/Azure.KeyVault.RBAC.md index 5db6219a6ff..fd36ebd6cd8 100644 --- a/docs/en/rules/Azure.KeyVault.RBAC.md +++ b/docs/en/rules/Azure.KeyVault.RBAC.md @@ -1,8 +1,8 @@ --- -reviewed: 2023-08-20 +reviewed: 2024-02-02 severity: Awareness pillar: Security -category: Authorization +category: SE:05 Identity and access management resource: Key Vault online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.KeyVault.RBAC/ --- @@ -41,7 +41,7 @@ For example: ```json { "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", + "apiVersion": "2023-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "properties": { @@ -71,7 +71,7 @@ To deploy Key Vaults that pass this rule: For example: ```bicep -resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = { +resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = { name: name location: location properties: { @@ -104,6 +104,12 @@ az keyvault update -n '' -g '' --enable-rbac-authorization Update-AzKeyVault -ResourceGroupName '' -Name '' -EnableRbacAuthorization ``` +### Configure with Azure Policy + +To address this issue at runtime use the following policies: + +- [Azure Key Vault should use RBAC permission model](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVault_Should_Use_RBAC.json) + ## NOTES The RBAC permission model may not be suitable for all use cases. @@ -112,11 +118,12 @@ For information about limitations see _Azure role-based access control vs. acces ## LINKS -- [Role-based authorization](https://learn.microsoft.com/azure/well-architected/security/design-identity-authorization#role-based-authorization) +- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access) - [What is Azure role-based access control?](https://learn.microsoft.com/azure/role-based-access-control/overview) - [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](https://learn.microsoft.com/azure/key-vault/general/rbac-guide) - [Azure role-based access control vs. access policies](https://learn.microsoft.com/azure/key-vault/general/rbac-access-policy) - [Migrate from vault access policy to an Azure role-based access control permission model](https://learn.microsoft.com/azure/key-vault/general/rbac-migration) +- [Azure Key Vault security](https://learn.microsoft.com/azure/key-vault/general/security-features) - [Azure security baseline for Key Vault](https://learn.microsoft.com/security/benchmark/azure/baselines/key-vault-security-baseline) - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/key-vault-security-baseline#im-1-use-centralized-identity-and-authentication-system) -- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.keyvault/vaults#vaultproperties) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.keyvault/vaults) diff --git a/docs/en/rules/Azure.KeyVault.SoftDelete.md b/docs/en/rules/Azure.KeyVault.SoftDelete.md index 98cba81ae10..f45c41ecc6e 100644 --- a/docs/en/rules/Azure.KeyVault.SoftDelete.md +++ b/docs/en/rules/Azure.KeyVault.SoftDelete.md @@ -1,7 +1,8 @@ --- +reviewed: 2024-02-02 severity: Important pillar: Reliability -category: Data management +category: RE:07 Self-preservation resource: Key Vault online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.KeyVault.SoftDelete/ --- @@ -38,20 +39,25 @@ For example: ```json { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-10-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "properties": { - "sku": { - "family": "A", - "name": "premium" - }, - "tenantId": "[subscription().tenantId]", - "enableSoftDelete": true, - "softDeleteRetentionInDays": 90, - "enablePurgeProtection": true + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2023-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "sku": { + "family": "A", + "name": "premium" + }, + "tenantId": "[tenant().tenantId]", + "softDeleteRetentionInDays": 90, + "enableSoftDelete": true, + "enablePurgeProtection": true, + "enableRbacAuthorization": true, + "networkAcls": { + "defaultAction": "Deny", + "bypass": "AzureServices" } + } } ``` @@ -64,7 +70,7 @@ To deploy Key Vaults that pass this rule: For example: ```bicep -resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = { +resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = { name: name location: location properties: { @@ -72,16 +78,35 @@ resource vault 'Microsoft.KeyVault/vaults@2021-10-01' = { family: 'A' name: 'premium' } - tenantId: subscription().tenantId - enableSoftDelete: true + tenantId: tenant().tenantId softDeleteRetentionInDays: 90 + enableSoftDelete: true enablePurgeProtection: true + enableRbacAuthorization: true + networkAcls: { + defaultAction: 'Deny' + bypass: 'AzureServices' + } } } ``` +### Configure with Azure CLI + +```bash +az keyvault update -n '' -g '' --retention-days 90 +``` + +### Configure with Azure Policy + +To address this issue at runtime use the following policies: + +- [Key vaults should have soft delete enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json) + ## LINKS -- [Azure Key Vault soft-delete overview](https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview) -- [Azure Key Vault security](https://docs.microsoft.com/azure/key-vault/general/security-overview#backup-and-recovery) -- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.keyvault/vaults) +- [RE:07 Self-preservation](https://learn.microsoft.com/azure/well-architected/reliability/self-preservation) +- [Azure Key Vault soft-delete overview](https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview) +- [Soft-delete will be enabled on all key vaults](https://learn.microsoft.com/azure/key-vault/general/soft-delete-change) +- [Azure Key Vault security](https://learn.microsoft.com/azure/key-vault/general/security-features) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.keyvault/vaults) diff --git a/docs/examples-keyvault.bicep b/docs/examples-keyvault.bicep index 25fdc6cfecc..4671cf6fb49 100644 --- a/docs/examples-keyvault.bicep +++ b/docs/examples-keyvault.bicep @@ -16,7 +16,7 @@ param objectId string param workspaceId string // An example Key Vault with access policies. -resource vaultWithAccessPolicies 'Microsoft.KeyVault/vaults@2023-02-01' = { +resource vaultWithAccessPolicies 'Microsoft.KeyVault/vaults@2023-07-01' = { name: name location: location properties: { @@ -45,7 +45,7 @@ resource vaultWithAccessPolicies 'Microsoft.KeyVault/vaults@2023-02-01' = { } // An example Key Vault with RBAC authorization. -resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = { +resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = { name: name location: location properties: { diff --git a/docs/examples-keyvault.json b/docs/examples-keyvault.json index b1d9f53eab4..8e025fdd0ac 100644 --- a/docs/examples-keyvault.json +++ b/docs/examples-keyvault.json @@ -1,13 +1,11 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "1.10-experimental", "contentVersion": "1.0.0.0", "metadata": { - "_EXPERIMENTAL_WARNING": "Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!", "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1553055841733853074" + "version": "0.24.24.22086", + "templateHash": "3218451149490833125" } }, "parameters": { @@ -37,10 +35,10 @@ } } }, - "resources": { - "vaultWithAccessPolicies": { + "resources": [ + { "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", + "apiVersion": "2023-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "properties": { @@ -67,9 +65,9 @@ ] } }, - "vault": { + { "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", + "apiVersion": "2023-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "properties": { @@ -88,7 +86,7 @@ } } }, - "logs": { + { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", @@ -103,8 +101,8 @@ ] }, "dependsOn": [ - "vault" + "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" ] } - } + ] } \ No newline at end of file