Governance Policies Security Managed Identity - Azure/az-prototype GitHub Wiki
Governance policies for Managed Identity
Domain: security
| Name | Description |
|---|---|
| System-assigned identity with role | Enable system identity and assign a specific role |
| Description | Instead |
|---|---|
| Do not store client secrets or certificates in application config | Use managed identity; the Azure SDK handles token acquisition automatically |
| Check | Severity | Description |
|---|---|---|
| WAF-SEC-MI-001 | Required | Use system-assigned managed identity for single-service resources |
| WAF-SEC-MI-002 | Required | Use user-assigned managed identity when identity is shared across resources |
| WAF-SEC-MI-003 | Required | Never use service principal client secrets for service-to-service auth |
| WAF-SEC-MI-004 | Recommended | Assign least-privilege RBAC roles, never Owner or Contributor at resource group scope |
Use system-assigned managed identity for single-service resources
Severity: Required
Rationale: Lifecycle tied to the resource, no orphaned identities
Agents: cloud-architect, terraform-agent, bicep-agent, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.KeyVault/vaults
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.ContainerService/managedClusters
- Microsoft.ContainerRegistry/registries
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Cache/redis
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
Use user-assigned managed identity when identity is shared across resources
Severity: Required
Rationale: Avoids role assignment duplication and simplifies rotation
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.KeyVault/vaults
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.ContainerService/managedClusters
- Microsoft.ContainerRegistry/registries
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Cache/redis
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
Never use service principal client secrets for service-to-service auth
Severity: Required
Rationale: Secrets expire, rotate, and leak; managed identity eliminates this
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.KeyVault/vaults
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.ContainerService/managedClusters
- Microsoft.ContainerRegistry/registries
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Cache/redis
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers
Assign least-privilege RBAC roles, never Owner or Contributor at resource group scope
Severity: Recommended
Rationale: Principle of least privilege reduces blast radius
Agents: cloud-architect, terraform-agent, bicep-agent, biz-analyst
- Microsoft.App/containerApps
- Microsoft.Web/sites
- Microsoft.KeyVault/vaults
- Microsoft.Sql/servers/databases
- Microsoft.DocumentDB/databaseAccounts
- Microsoft.Storage/storageAccounts
- Microsoft.ContainerService/managedClusters
- Microsoft.ContainerRegistry/registries
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Cache/redis
- Microsoft.CognitiveServices/accounts
- Microsoft.Search/searchServices
- Microsoft.DBforPostgreSQL/flexibleServers
- Microsoft.DBforMySQL/flexibleServers