Disabling Role-Based Access Control (RBAC) on Azure resources can reduce an organization’s ability to protect itself against access controls being
compromised.
To be considered safe, access controls must follow the principle of least privilege and correctly segregate duties amongst users. RBAC helps
enforce these practices by adapting the organization’s access control needs into explicit role-based policies: It helps keeping access controls
maintainable and sustainable.
Furthermore, RBAC allows operations teams to work faster during a security incident. It helps to mitigate account theft or intrusions by quickly
shutting down accesses.
Ask Yourself Whether
- This Azure resource is essential for the information system infrastructure.
- This Azure resource is essential for mission-critical functions.
- Compliance policies require access to this resource to be enforced through the use of Role-Based Access Control.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- Enable Azure RBAC when the Azure resource supports it.
- For Kubernetes clusters, enable Azure RBAC if Azure AD integration is supported. Otherwise, use the built-in Kubernetes RBAC.
Sensitive Code Example
For Azure Kubernetes Services:
resource "azurerm_kubernetes_cluster" "example" {
role_based_access_control {
enabled = false # Sensitive
}
}
resource "azurerm_kubernetes_cluster" "example2" {
role_based_access_control {
enabled = true
azure_active_directory {
managed = true
azure_rbac_enabled = false # Sensitive
}
}
}
For Key Vaults:
resource "azurerm_key_vault" "example" {
enable_rbac_authorization = false # Sensitive
}
Compliant Solution
For Azure Kubernetes Services:
resource "azurerm_kubernetes_cluster" "example" {
role_based_access_control {
enabled = true
}
}
resource "azurerm_kubernetes_cluster" "example" {
role_based_access_control {
enabled = true
azure_active_directory {
managed = true
azure_rbac_enabled = true
}
}
}
For Key Vaults:
resource "azurerm_key_vault" "example" {
enable_rbac_authorization = true
}
See