Azure Policy Guardrail

Copper Contributor

Hi All, 

I have the following requirement to set the guardrails for the secrets stored in the AKV.


1. I have 100s of Azure Subscriptions and in each subs, there are 1-2 AKV configured

2. There are few AKV spread across the subscriptions where very sensitive secrets are stored with a tag "sensitive"


1. No one should be able to change/modify the tags setup in the AKV where tags are configured as sensitive even user are assigned Subs Owner/key Vault admin permissions.

2. No human user should be able to read those secrets with a sensitive tags.

3. If possible, I want to configure the above requirements for everyone except 1-2 folks within a org.

Can someone please guide me how to craft such policy.




1 Reply
Yes I guess you need to evault Azure key vault RBAC roles specifically you can assing 1-2 folks to create and manage the keys including the vault and rest becomes Key vault users who just reads the keys
If they are spread across subscription recommended to use key vault either per subscription or per environment (Prod, Dev etc . ) this way if the vault or keys get compromised you can have minimum blast radius to control
Refer this Below URL
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.