Governance Policies Azure Security Key Vault - Azure/az-prototype GitHub Wiki
Governance policies for Key Vault
Domain: azure-security
| Name | Description |
|---|---|
| Key Vault with RBAC and private endpoint | Complete Key Vault deployment with RBAC authorization, soft-delete, purge protection, private endpoint, diagnostics, and role assignments |
| Description | Instead |
|---|---|
| Do not use access policies for authorization | Set enableRbacAuthorization = true and use role assignments |
| Do not disable soft-delete or purge protection | Keep both enabled with at least 90-day retention |
| Do not use service principal secrets to access Key Vault | Use managed identity with Key Vault RBAC roles |
| Check | Severity | Description |
|---|---|---|
| AZ-KV-001 | Required | Create Key Vault with RBAC authorization, soft-delete, purge protection, and public access disabled |
| AZ-KV-002 | Required | Assign Key Vault RBAC roles to application identities |
Create Key Vault with RBAC authorization, soft-delete, purge protection, and public access disabled
Severity: Required
Rationale: RBAC is the recommended authorization model; soft-delete and purge protection prevent accidental permanent deletion; private access only
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.KeyVault/vaults
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-keyvault | Private endpoint for Key Vault — required when publicNetworkAccess is Disabled |
| Microsoft.Network/privateDnsZones | privatelink.vaultcore.azure.net | Private DNS zone for Key Vault private endpoint resolution |
| Microsoft.Insights/diagnosticSettings | diag-keyvault | Diagnostic settings for Key Vault to Log Analytics — audit trail for secret access and key operations |
Assign Key Vault RBAC roles to application identities
Severity: Required
Rationale: Least-privilege access via built-in roles replaces broad access policies
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.KeyVault/vaults
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Authorization/roleAssignments | Key Vault Secrets User | Key Vault Secrets User role (4633458b-17de-408a-b874-0445c86b69e6) for reading secrets |
| Microsoft.Authorization/roleAssignments | Key Vault Crypto User | Key Vault Crypto User role (12338af0-0e69-4776-bea7-57ae8d297424) for cryptographic operations — ONLY required when the architecture uses key encrypt/decrypt/wrap/unwrap operations |