Forum Discussion

RajnishGarg's avatar
RajnishGarg
Copper Contributor
Jun 17, 2023

Azure Policy Guardrail

Hi All, 

I have the following requirement to set the guardrails for the secrets stored in the AKV.

Environment

1. I have 100s of Azure Subscriptions and in each subs, there are 1-2 AKV configured

2. There are few AKV spread across the subscriptions where very sensitive secrets are stored with a tag "sensitive"

Requirements

1. No one should be able to change/modify the tags setup in the AKV where tags are configured as sensitive even user are assigned Subs Owner/key Vault admin permissions.

2. No human user should be able to read those secrets with a sensitive tags.

3. If possible, I want to configure the above requirements for everyone except 1-2 folks within a org.

Can someone please guide me how to craft such policy.

 

Thanks

Raj

Resources