Securing PaaS – Securing Azure Key Vault with Azure IAM

Synopsis: In this exercise, attendees will learn how to create various roles for managing the Azure Key Vault.

NOTE: If you are using a corporate Azure instance and do not have access to Active Directory, you must skip this Exercise and move to Exercise 3.**

Task 1: Create a new Azure Key Vault

In this task, you will create a new Azure Key Vault.

  1. In your InPrivate or Incognito browser window, log into the Azure portal using the KeyVaultAdmin account.
  2. In the Search box at the top of the Azure portal, search for “key vault” box, and select Key vaults from the results.
    "Key vault" is entered In the Azure search field, and Key vaults is selected from the search results.
  3. On the Key vaults blade, select +Add.In the Key vaults blade top menu, the Add button is selected.
  4. You should get a message that you must have admin access to create a key vault.In the Get an Azure subscription pop-up, a message displays saying you need admin access.
  5. Return to the Azure portal browser window where you are logged in with your subscription admin account, not the Incognito window where the Key Vault Admin account is logged in.
  6. As in step 2 above, search for Key vaults and navigate to the Key Vaults blade.
  7. Select +Add.In the Key vaults blade top menu, the Add button is selected.
  8. On the Create key vault blade, enter the following:a. Name: Enter something similar to paassecuritykeyvault[Your Initials]b. Subscription: Select the subscription you are using for this lab

    c. Resource group: Select your existing resource group

    d. Leave Pricing tier and Access policies set to their default values
    In the Dialog box, fields are set to the previously defined settings.

  9. Select Create.

Task 2: Assign IAM based Azure Key Vault permissions

In this task, you use Access control (IAM) to assign role-based access control (RBAC) permissions to the key vault you created in the previous task.

  1. When the Key vault has finished provisioning, you will receive a notification in the Azure portal. In the notification, select Go to resource.
    Azure notifications dialog is expanded, and the notification that the Key vault deployment succeeded is displayed. The Go to resource button is selected.
  2. Select Access control (IAM).In the Azure Portal, under search results, passsecuritykeyvault.cjg is selected, as is Access control (IAM).
  3. Select +Add.In the Key Vault blade top menu, the Add button is selected.
  4. In the Add permissions blade, enter:a. Role: Select Key Vault Contributorb. Assign access to: Leave set to Azure AD user, group, or application

    c. Select: Search for and select the KeyVaultAdmin user. \

    In the Add permissions blade, the values above are entered into the specified fields.

  5. Select Save.
  6. Select +Add again.
  7. In the Add permissions blade, enter:c. Role: Select Readerd. Assign access to: Leave set to Azure AD user, group, or application

    e. Select: Search for and select the KeyVaultAuditor user. \

    In the Add permissions blade, the values above are entered into the specified fields.

  8. Select Save.

Task 3: Assign access policy based Azure Key Vault permissions

In this task, you will add Access policies to the Azure Key Vault, to set the permissions of individual users within the key vault.

  1. On the new key vault blade, select Access Policies from the left-hand menu under SETTINGS.Access policies is selected.
  2. Select Click to show advanced access policies.
    In the Key vault blade, the link to Click to show advanced access policies is selected.
  3. Check the boxes for all items.
    The check boxes to enable access to Azure Virtual Machines, Resource Manager, and Disk Encryption are selected.
  4. Select Save.
  5. Select + Add new.
  6. On the Add access policy blade, enter the following:a. Select Select principal.
    • Search for and select Key Vault Auditor.
    • Select Select.

    b. Key permissions: Check List.

    c. Secret permissions: Check List.

    d. Certificate permissions: Check List.
    The Add access policy blade is displayed, with the values specified above entered into the appropriate fields. On the Principal blade on the right, Key Vault Auditor is entered into the Select field, and Key Vault Auditor is selected.

  7. Select OK.

Task 4: Verify Azure Key Vault permissions

In this task, you will log in with the three different Azure AD user accounts you created previously and observe the impact of the IAM and Access policy permissions you set above.

  1. Return to your InPrivate or Incognito browser window, and login as the KeyVaultAdmin.
  2. Search for and select Key vaults.
  3. You should now see the key vault displayed, select it.
  4. Select Keys, you should get a warning that the List operation is not assigned.

    NOTE: IAM permissions are different than Azure Key Vault access policies.

    In the Key vault blade, under settings, Keys is selected. The message saying that the operation "List" is not enabled in this key vault access policy displays.

  5. Select Access policies, then select +Add new.
    In the Azure Portal, under Settings, Access policies is selected. In the Access policies blade top menu, Add new is selected.
  6. On the Add access policy blade, enter the following:b. Select Select principal.
    i.  Search for and select **Key Vault Admin**.
    
    ii. Select **Select**.
    

    c. For the Key permissions, check Select all.

    d. For the Secret permissions, check Select all.

    e. For the Certificate permissions, check Select all.
    The Add access policy blade is displayed, with the values specified above entered into the appropriate fields. On the Principal blade on the right, Key Vault Admin is entered into the Select field, and Key Vault Admin is selected.

  7. Select OK.
  8. Select Save.
  9. Select Keys again from the left-hand menu, and you should now see the error disappear.
  10. In your InPrivate or Incognito browser window, logoff and login as the KeyVaultDeveloper.

    NOTE: You will need to reset the password for the account, as you did in Exercise 1, Task 3, Step 13.

    • Update the password, when prompted.
  11. Search for and select Key vaults.
  12. You should not be able to see the key vault displayed.
  13. Log out.
  14. Login as the KeyVaultAuditor.

    NOTE: You will need to reset the password for the account, as you did in Exercise 1, Task 3, Step 13.

    • Update the password, when prompted.
  15. Search for and select Key vaults.
  16. You should be able to see the key vault displayed, select it.
  17. Select Keys, you should not get a warning.
  18. Select Access policies.
  19. Select +Add new.
  20. Select Select principal.
    • Search for and select Key Vault Developer.
    • Select Select.
  21. Notice the permission drop downs are greyed out! The Key Vault Auditor only has read permission therefore they cannot assign permissions to any other resources:
    The Add access policy blade displays.
  22. Exit the Add access policy blade, discarding any changes.

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

Leave a Reply

Your email address will not be published. Required fields are marked *