cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Policy Guardrail

RajnishGarg
Copper Contributor

‎Jun 17 2023 03:40 AM - edited ‎Jun 17 2023 03:47 AM

‎Jun 17 2023 03:40 AM - edited ‎Jun 17 2023 03:47 AM

Azure Policy Guardrail

Hi All, 

I have the following requirement to set the guardrails for the secrets stored in the AKV.

Environment

1. I have 100s of Azure Subscriptions and in each subs, there are 1-2 AKV configured

2. There are few AKV spread across the subscriptions where very sensitive secrets are stored with a tag "sensitive"

Requirements

1. No one should be able to change/modify the tags setup in the AKV where tags are configured as sensitive even user are assigned Subs Owner/key Vault admin permissions.

2. No human user should be able to read those secrets with a sensitive tags.

3. If possible, I want to configure the above requirements for everyone except 1-2 folks within a org.

Can someone please guide me how to craft such policy.

 

Thanks

Raj

Labels:
287 Views
0 Likes
1 Reply
Reply
1 Reply
Chandrasekhar_Arya

‎Jun 18 2023 11:48 PM

‎Jun 18 2023 11:48 PM

Re: Azure Policy Guardrail

Yes I guess you need to evault Azure key vault RBAC roles specifically you can assing 1-2 folks to create and manage the keys including the vault and rest becomes Key vault users who just reads the keys
If they are spread across subscription recommended to use key vault either per subscription or per environment (Prod, Dev etc . ) this way if the vault or keys get compromised you can have minimum blast radius to control
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
Refer this Below URL
https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.
0 Likes
Reply