Azure Key Vault Cross-Subscription Access (2024)

  • Knowledge Base
  • Microsoft Azure
  • KeyVault
  • Azure Key Vault Cross-Subscription Access

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Microsoft Azure key vaults are configured to allow access only to trusted Azure subscription in order to protect against unauthorized access. This approach strengthens security by minimizing the risk of unauthorized access to sensitive data stored in Azure key vaults. The list with the trusted Azure subscriptions must be defined in the conformity rule settings, in the Trend Micro Cloud One™ – Conformity account console.

Azure Key Vault Cross-Subscription Access (1) Security

It is crucial to avoid cross-subscription access to Azure Key Vault in order to maintain robust security boundaries and prevent unauthorized access to sensitive cryptographic materials. Allowing key vault resources to be accessed from different subscriptions can increase the risk of data breaches by broadening the attack surface and potentially exposing cryptographic assets to unauthorized users or services in other subscriptions.

Audit

To determine if your Azure key vaults allow unknown, untrusted cross-subscription access, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Azure key vaults available in the selected subscription.

05 Click on the name (link) of the Azure key vault that you want to examine.

06 In the navigation panel, choose Access control (IAM).

07 Select the Role assignments tab, choose the All tab, and select This resource from the Scope : All scopes filter box, to list all role assignments for the selected key vault, showing which users, groups, or service principals have been assigned what roles at the key vault level.

08 Select the role assignment that you want to examine and identify the subscription associated with the selected identity, i.e. /subscriptions/\<subscription-id\>/resourcegroups/\<resource-group-name\>/providers/Microsoft.ManagedIdentity/\<identity-type\>/\<identity-name\>, where \<subscription-id\> is the ID of the Azure subscription that manages the selected identity. If the identity's subscription differs from the key vault subscription chosen in step 3, cross-subscription access is configured for the selected Azure key vault. Perform this step for every role assignment listed on the Access control (IAM) page.

09 Sign in to your Trend Micro Cloud One™ – Conformity account, access Azure Key Vault Cross-Subscription Access conformity rule settings, and compare the \<subscription-id\> of each associated identity against each Azure subscription ID defined in the rule configuration. If one or more subscription IDs are not included in the list of trusted Azure subscriptions available in the rule settings, the cross-subscription access configuration available for the selected Azure key vault is not compliant.

10 Repeat steps no. 5 – 9 for each Azure key vault available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the subscriptions available in your Azure account:

az account list --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

["abcdabcd-1234-abcd-1234-abcdabcdabcd","abcd1234-abcd-1234-abcd-abcd1234abcd",]

03 Run keyvault list command (Windows/macOS/Linux) with custom output filters to list the IDs of the key vault instances available within the current Azure subscription:

az keyvault list --subscription "abcdabcd-1234-abcd-1234-abcdabcdabcd" --query '[*].id'

04 The command output should return the requested Azure key vault IDs:

["/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-key-vault","/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-data-warehouse-vault"]

05 Run role assignment list command (Windows/macOS/Linux) with the name of the Azure key vault that you want to examine as the identifier parameter and custom output filters to list the principal ID of each role assignment, defined for the selected key vault:

az role assignment list --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-key-vault" --query '[*].principalId'

06 The command output should return the principal ID(s):

["abcd1234-abcd-1234-abcd-1234abcd1234"]

07 Run role assignment list command (Windows/macOS/Linux) to describe the Microsoft Azure subscription associated with the specified principal:

az role assignment list --assignee "abcd1234-abcd-1234-abcd-1234abcd1234" --query '[*].scope'

08 The command output should return the ID of associated subscription, i.e. /subscriptions/\<subscription-id\>, where \<subscription-id\> is the ID of the Azure subscription that manages the selected principal. If the principal's subscription differs from the key vault subscription selected in step 3, cross-subscription access is configured for the selected Azure key vault:

["/subscriptions/12341234-abcd-1234-abcd-123412341234"]

09 Sign in to your Trend Micro Cloud One™ – Conformity account, access Azure Key Vault Cross-Subscription Access conformity rule settings, and compare the \<subscription-id\> of each associated principal against each Azure subscription ID defined in the rule configuration. If one or more subscription IDs are not included in the list of trusted Azure subscriptions available in the rule settings, the cross-subscription access configuration available for the selected Azure key vault is not compliant.

10 Repeat steps no. 5 – 9 for each Microsoft Azure key vault available in the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To update the issuance policy attached to your Azure Key Vault certificates in order to increase their key size, perform the following operations:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Azure key vaults available in the selected subscription.

05 Click on the name (link) of the Azure key vault that you want to configure.

06 In the navigation panel, choose Access control (IAM).

07 Select the Role assignments tab, choose the All tab, and select This resource from the Scope : All scopes filter box, to list all role assignments for the selected key vault, showing which users, groups, or service principals have been assigned what roles at the key vault level.

08 Select the non-compliant role assignment that you want to remove and choose Delete.

09 Inside the Remove role assignments confirmation box, choose Yes to remove the selected role assignment.

10 Repeat steps no. 5 – 9 for each Azure key vault that you want to configure, available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run role assignment list command (Windows/macOS/Linux) with the name of the Azure key vault that you want to configure as the identifier parameter and custom output filters to list the full ID of each role assignment, defined for the selected key vault:

az role assignment list --scope "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-key-vault" --query '[*].id'

02 The command output should return the role assignment ID(s):

["/subscriptions/12341234-abcd-1234-abcd-123412341234/resourceGroups/cloud-shell-storage-westeurope2/providers/Microsoft.KeyVault/vaults/cc-production-key-vault/providers/Microsoft.Authorization/roleAssignments/abcdabcd-abcd-1234-abcd-abcdabcdabcd"]

03 Run role assignment delete command (Windows/macOS/Linux) to remove the non-compliant role assignment from the associated Microsoft Azure key vault in order to protect the key vault resources from unauthorized cross-subscription access (the command does not produce an output):

az role assignment delete --ids "/subscriptions/12341234-abcd-1234-abcd-123412341234/resourceGroups/cloud-shell-storage-westeurope2/providers/Microsoft.KeyVault/vaults/cc-production-key-vault/providers/Microsoft.Authorization/roleAssignments/abcdabcd-abcd-1234-abcd-abcdabcdabcd"

04 Repeat steps no. 1 – 3 for each Microsoft Azure key vault that you want to configure, available in the selected subscription.

05 Repeat steps no. 1 – 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 26, 2024

Related KeyVault rules

  • Enable Certificate Transparency (Security)
  • Enable Key Vault Recoverability (Security)
  • Check for Allowed Certificate Key Types (Security)
  • Set Azure Secret Key Expiration (Security)

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Azure Key Vault Cross-Subscription Access (2)

No thanks, back to article

You are auditing:

Azure Key Vault Cross-Subscription Access

Risk Level: High

Azure Key Vault Cross-Subscription Access (2024)
Top Articles
Bouchons de sécurité SafetyCap pour flacons Merck®
Baroque Violin Shop Cincinnati Oh
Spasa Parish
Rentals for rent in Maastricht
159R Bus Schedule Pdf
Sallisaw Bin Store
Black Adam Showtimes Near Maya Cinemas Delano
Espn Transfer Portal Basketball
Pollen Levels Richmond
11 Best Sites Like The Chive For Funny Pictures and Memes
Things to do in Wichita Falls on weekends 12-15 September
Craigslist Pets Huntsville Alabama
What's the Difference Between Halal and Haram Meat & Food?
R/Skinwalker
Rugged Gentleman Barber Shop Martinsburg Wv
Jennifer Lenzini Leaving Ktiv
Justified - Streams, Episodenguide und News zur Serie
Epay. Medstarhealth.org
Olde Kegg Bar & Grill Portage Menu
Cubilabras
Half Inning In Which The Home Team Bats Crossword
Amazing Lash Bay Colony
Juego Friv Poki
Ice Dodo Unblocked 76
Is Slatt Offensive
Labcorp Locations Near Me
Storm Prediction Center Convective Outlook
Experience the Convenience of Po Box 790010 St Louis Mo
Fungal Symbiote Terraria
modelo julia - PLAYBOARD
Abby's Caribbean Cafe
Joanna Gaines Reveals Who Bought the 'Fixer Upper' Lake House and Her Favorite Features of the Milestone Project
Tri-State Dog Racing Results
Trade Chart Dave Richard
Lincoln Financial Field Section 110
Free Stuff Craigslist Roanoke Va
Stellaris Resolution
Wi Dept Of Regulation & Licensing
Pick N Pull Near Me [Locator Map + Guide + FAQ]
Horseheads Schooltool
Crystal Westbrooks Nipple
Ice Hockey Dboard
Über 60 Prozent Rabatt auf E-Bikes: Aldi reduziert sämtliche Pedelecs stark im Preis - nur noch für kurze Zeit
Wie blocke ich einen Bot aus Boardman/USA - sellerforum.de
Craigslist Pets Inland Empire
Infinity Pool Showtimes Near Maya Cinemas Bakersfield
Hooda Math—Games, Features, and Benefits — Mashup Math
Dermpathdiagnostics Com Pay Invoice
How To Use Price Chopper Points At Quiktrip
Maria Butina Bikini
Busted Newspaper Zapata Tx
Latest Posts
Article information

Author: Arielle Torp

Last Updated:

Views: 5851

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Arielle Torp

Birthday: 1997-09-20

Address: 87313 Erdman Vista, North Dustinborough, WA 37563

Phone: +97216742823598

Job: Central Technology Officer

Hobby: Taekwondo, Macrame, Foreign language learning, Kite flying, Cooking, Skiing, Computer programming

Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.