Azure Resource Manager Templates and Key Vault: Securing Secrets for Azure Resource Deployments

Preventing Direct Access to Secrets from Key Vault: A Least Privilege Approach

Prev Question Next Question

Question

You are designing an Azure resource deployment that will use Azure Resource Manager templates. The deployment will use Azure Key Vault to store secrets.

You need to recommend a solution to meet the following requirements:

-> Prevent the IT staff that will perform the deployment from retrieving the secrets directly from Key Vault.

-> Use the principle of least privilege.

Which two actions should you recommend? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Answers

A. Create a Key Vault access policy that allows all get key permissions, get secret permissions, and get certificate permissions.

B. From Access policies in Key Vault, enable access to the Azure Resource Manager for template deployment.

C. Create a Key Vault access policy that allows all list key permissions, list secret permissions, and list certificate permissions.

D. Assign the IT staff a custom role that includes the Microsoft.KeyVault/Vaults/Deploy/Action permission.

E. Assign the Key Vault Contributor role to the IT staff.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

B: To access a key vault during template deployment, set enabledForTemplateDeployment on the key vault to true.

D: The user who deploys the template must have the Microsoft.KeyVault/vaults/deploy/action permission for the scope of the resource group and key vault.

Incorrect Answers:

E: To grant access to a user to manage key vaults, you assign a predefined key vault Contributor role to the user at a specific scope.

If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. You should tightly control who has Contributor role access to your key vaults. Ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security

To meet the given requirements, the following actions should be recommended:

B. From Access policies in Key Vault, enable access to the Azure Resource Manager for template deployment. D. Assign the IT staff a custom role that includes the Microsoft.KeyVault/Vaults/Deploy/Action permission.

Explanation: A. Creating a Key Vault access policy that allows all get key permissions, get secret permissions, and get certificate permissions would give the IT staff the ability to retrieve the secrets directly from Key Vault, which is not desirable.

B. Enabling access to the Azure Resource Manager for template deployment from Access policies in Key Vault allows the Azure Resource Manager to retrieve the secrets from Key Vault during the deployment process without giving the IT staff direct access to the secrets.

C. Creating a Key Vault access policy that allows all list key permissions, list secret permissions, and list certificate permissions would allow the IT staff to list the secrets, but not retrieve them directly, which is not desirable.

D. Assigning the IT staff a custom role that includes the Microsoft.KeyVault/Vaults/Deploy/Action permission would allow the IT staff to deploy resources that use the secrets stored in Key Vault without giving them direct access to the secrets.

E. Assigning the Key Vault Contributor role to the IT staff would give them access to manage the Key Vault and its secrets, which is not desirable.

Therefore, enabling Azure Resource Manager access and assigning a custom role with deploy action permission is the recommended solution to meet the given requirements while using the principle of least privilege.

Prev Question Next Question