Policy: Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault

Configures auditing against a CIS Benchmark item.

Level: 2

The recommended way to access Key Vaults is to use the Azure Role-Based Access Control (RBAC) permissions model. Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It allows users to manage Key, Secret, and Certificate permissions. It provides one place to manage all permissions across all key vaults.

The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.

Targets

This policy targets the following resource types:

Azure > Key Vault > Vault

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v3.0 > 03 - Microsoft Defender`
Valid Values [YAML]	`Per Azure > CIS v3.0 > 03 - Microsoft Defender` `Skip` `Check: Benchmark using attestation`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v071406

Policy Type URI

tmod:@turbot/azure-cisv3-0#/policy/types/r030306

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv3-0#/policy/types/r030306") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r030306'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r030306'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv3-0#/policy/types/r030306"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv3-0#/policy/types/r030306"