Azure managed identity has dangerous key vault role

azure

Set up the azure integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This rule detects Azure AD managed identities with dangerous key vault roles. It specifically detects the assignment of Key Vault Administrator and Key Vault Contributor.

Rationale

Assigning these key vault roles to Azure AD managed identities can unintentionally grant broad access to sensitive secrets, certificates, and encryption keys. Removing these assignments helps prevent privilege escalation, unauthorized access, and potential data breaches through misconfigured role assignments.

Remediation

Review the managed identities and assess whether the assigned roles are necessary. If access is not justified, remove the roles or assign more restrictive, least-privilege alternatives that align with the principle of minimum access.