Azure group has dangerous key vault role
Set up the azure integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
This rule detects Azure AD groups with dangerous key vault roles. It specifically detects the assignment of Key Vault Administrator and Key Vault Contributor.
Rationale
Assigning these key vault roles to Azure AD groups can unintentionally grant broad access to sensitive secrets, certificates, and encryption keys. Removing these assignments helps prevent privilege escalation, unauthorized access, and potential data breaches through misconfigured role assignments.
Review the group membership and assess whether the assigned roles are necessary. If access is not justified, remove the roles or assign more restrictive, least-privilege alternatives that align with the principle of minimum access.
