Control: Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault

Configures auditing against a CIS Benchmark item.

Level: 2

The recommended way to access Key Vaults is to use the Azure Role-Based Access Control (RBAC) permissions model. Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It allows users to manage Key, Secret, and Certificate permissions. It provides one place to manage all permissions across all key vaults.

The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.

Resource Types

This control targets the following resource types:

Azure > Key Vault > Vault

Policies

This control type relies on these other policies when running actions:

In Your Workspace

Developers

Control Type URI

tmod:@turbot/azure-cisv3-0#/control/types/r030306

Category URI

tmod:@turbot/cis#/control/categories/v071406

GraphQL

query controlType(id: "tmod:@turbot/azure-cisv3-0#/control/types/r030306") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/azure-cisv3-0#/control/types/r030306'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv3-0#/control/types/r030306"