Enable Trusted Microsoft Services access for Key Vault

More Info:

Ensure that, Allow trusted Microsoft services to bypass this firewall, exception is enabled within your Azure Key Vault network settings in order to grant vault access to trusted Azure cloud services.

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

To remediate the misconfiguration of enabling Trusted Microsoft Services access for Key Vault in AZURE, you can follow the below steps:

Login to the AZURE portal (https://portal.azure.com/) using your credentials.
Navigate to the Key Vault service from the left-hand side menu.
Select the Key Vault for which you want to enable Trusted Microsoft Services access.
Click on the “Access policies” option from the left-hand side menu.
Click on the ”+ Add Access Policy” button to add a new access policy.
In the “Add access policy” blade, select “Azure Key Vault” for “Configure from template”.
In the “Secret permissions” section, select the permissions that you want to grant to the Trusted Microsoft Services.
In the “Select principal” section, select “Microsoft.AzureServices.AppAuthentication” as the principal.
Click on the “Add” button to add the access policy.
Click on the “Save” button to save the changes.

Once the above steps are completed, Trusted Microsoft Services access will be enabled for the selected Key Vault in AZURE.

To remediate the misconfiguration “Enable Trusted Microsoft Services access for Key Vault” for Azure using Azure CLI, you can follow these steps:

Step 1: Open the Azure CLI and login to your account.

Step 2: Run the following command to enable Trusted Microsoft Services access for Key Vault:

az keyvault update --name <key_vault_name> --resource-group <resource_group_name> --enabled-for-template-deployment true

Note: Replace <key_vault_name> with the name of your Key Vault and <resource_group_name> with the name of your resource group.

Step 3: After running the above command, you will receive a response that confirms the update. Verify that the enabledForTemplateDeployment property is set to true.

Step 4: You have now successfully remediated the misconfiguration “Enable Trusted Microsoft Services access for Key Vault”.

To remediate the misconfiguration “Enable Trusted Microsoft Services access for Key Vault” in Azure using Python, follow these steps:

Import the necessary libraries:

from azure.keyvault import KeyVaultClient
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.keyvault import KeyVaultManagementClient

Set up a Service Principal account with the necessary permissions to access the Key Vault. You will need to provide the tenant_id, client_id, and client_secret values.

tenant_id = '<your-tenant-id>'
client_id = '<your-client-id>'
client_secret = '<your-client-secret>'

credentials = ServicePrincipalCredentials(
    client_id=client_id,
    secret=client_secret,
    tenant=tenant_id
)

Connect to the Azure Resource Management API and retrieve the Key Vault resource.

subscription_id = '<your-subscription-id>'
resource_group_name = '<your-resource-group-name>'
vault_name = '<your-key-vault-name>'

resource_client = ResourceManagementClient(credentials, subscription_id)
vault = resource_client.resources.get_by_id(
    f"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.KeyVault/vaults/{vault_name}",
    api_version='2018-02-14'
)

Check if the Trusted Microsoft Services access is already enabled for the Key Vault.

kv_client = KeyVaultClient(credentials)
access_policies = kv_client.get_access_policies(vault.properties.vault_uri)

for policy in access_policies:
    if policy.tenant_id == '72f988bf-86f1-41af-91ab-2d7cd011db47':
        if 'Microsoft.Azure.Services.AzureActiveDirectory' in policy.permissions.keys():
            if policy.permissions['Microsoft.Azure.Services.AzureActiveDirectory'] == []:
                print("Trusted Microsoft Services access is already enabled.")
                break

If Trusted Microsoft Services access is not enabled, add it to the Key Vault access policies.

else:
    access_policies.append(
        {
            'tenant_id': '72f988bf-86f1-41af-91ab-2d7cd011db47',
            'object_id': None,
            'permissions': {
                'keys': ['get', 'create', 'delete', 'list', 'update', 'import', 'backup', 'restore'],
                'secrets': ['get', 'list', 'set', 'delete', 'backup', 'restore'],
                'certificates': ['get', 'list', 'delete', 'create', 'import', 'update', 'managecontacts', 'getissuers', 'listissuers', 'setissuers', 'deleteissuers', 'manageissuers', 'recover', 'purge', 'backup', 'restore']
            }
        }
    )

    kv_client.set_access_policy(vault.properties.vault_uri, access_policies)
    print("Trusted Microsoft Services access has been enabled.")

This code will check if Trusted Microsoft Services access is already enabled for the Key Vault and, if not, add it to the access policies.

Additional Reading:

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-network-security

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Enable Trusted Microsoft Services access for Key Vault

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Additional Reading: