Role-Based Access Control on Azure Key Vault is not enabled Affecting Key Vault service in Azure

Snyk CCSS

IAM / Access Control

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00790
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Failure to enable Role-Based Access Control (RBAC) on Azure Key Vault may result in unauthorized access to keys, secrets, and certificates. RBAC ensures that only users, groups, or service principals with explicitly granted permissions can manage or access Key Vault resources, thereby minimizing the risk of privilege escalation and data breaches.

How to fix?

Set the enable_rbac_authorization attribute to true for the resource azurerm_key_vault.

Example Configuration


resource "azurerm_key_vault" "allow" {
  name                       = "snyk00790-vaulta1"
  location                   = data.azurerm_resource_group.snyk.location
  resource_group_name        = data.azurerm_resource_group.snyk.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "standard"
  enable_rbac_authorization = true
  soft_delete_retention_days = 7
}

Role-Based Access Control on Azure Key Vault is not enabled Affecting Key Vault service in Azure

Severity

Description

How to fix?

Example Configuration

Terraform