Azure Key Vault RBAC and Policy Deep Dive

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone and welcome to a video on azure key vault uh permissions auditing and just a few other things we can do with it so my goal of this video is to really just walk through some of the recent changes around azure keyboard and as always if this is useful please go ahead and give this a like subscribe comment and share now previously i've talked about managed identities managed identity lets me have some kind of azure resource actually have an identity in azure ad for that resource that can then be given permissions to other azure resources so there's no need to kind of store a credential or anything else but as many times i can't do that i need some secret maybe i need a key for encryption decryption signing maybe i need certificates and that full management and so what we have is azure keyboard so this is azure keyboard so this is that secure tamper proof hsm backed solution in azure that i can use for various things and i'll put that in otherwise it looks like a washing machine now the point of the azure key vault is we can store different things i can have things like secrets so a secret is something i can write to it and actually get back out like some kind of storage access key a shed access signature a primary key for cosmos db a resource token value i can store keys so a key is something i can either import into the key vault or generate within the key vault that i can't get out of it but what i can do is use the key so i can maybe send it a hash value and ask it to sign it for me i could send it data to be decrypted encrypted ciphers etcetera and then we have certificates so certificates are really a key and the secret wrapping an envelope but there's certain kind of provisioning requirements i have with that i can think about life cycle management the deployment so keyboard can do all of those types of things and again it's hsn backed it's stored in the hsm and then there's kind of a software and a hsm mode for actually using it in the software based and the key is actually utilized the secret is utilized in software in hsm all the operations are actually performed in the hsm itself it never leaves there it just costs a little bit more now for all of these things i have multiple secrets multiple keys multiple certificates and then we have these security principles these service principles in azure a.d so how do i give them permission to these things so what we had in the past and still is there should be careful i'll say that is we had the idea of kind of access policies now an access policy applied to the vault and what i could basically say is for a certain security principle it could be a user a group and that includes managed identities i could give it certain permissions so i could give it permissions based on keys secrets and certificates so i would kind of check the ones i wanted to have and all the different types of permission i could have within there but it applied to the entire bolt there was no way for me to say well you can get this secret maybe there's kind of a secret one and a secret two and a secret three if there's a key one a key two etcetera i have no granularity there i can just say these are the permissions you have to the vault so let's take a look at this in action so if we jump over to the portal here i'm going to go ahead and look at my regular vault and if we look at access policy what we can actually see is for the permission model i'm running vault access policy so what we then have is i have different principles i have got clark kent and me for clark kent well it has these permissions on secrets in the vault i have permissions on the keys the secrets and the certificates if i want to add a new access policy i can create it from a template which will just pre-populate various key secret certificate permissions so i could say hey i want to be a secret management well it would pre-select those permissions and then i would pick the security principle i either use a group manage identity whatever who has those and that's great but yeah it's it's the whole vault there's no ability to be more granular so what we now have is actually role-based access control so like we've seen with some of the storage services like blob we always think of roles typically if we have a role normally roles are all about kind of the management plane so we have the management plan so the various resource providers that define the various resources and then there are various kind of actions that apply to them well then we have the data plane as well so now key vault as a resource provider and now have resource types of things like secrets um keys certificates so now we can actually have actions at the data plane or key vault so what that means is there are a bunch of built-in roles i can create my own roles just like we can with anything else and i can assign that role now that role could be a subscription a resource group a resource either vault or at a particular key or secret so now i can actually think about well hey i'm actually going to give clock permissions just to that secret i'm going to give a managed identity i have for a particular ad access to just that secret now someone else i might set it at the key vault level so it will get inherited down to all of the secrets keys whatever within the vault but i now have this ability with role-based access control of the data plane to be far more specific so let's take a look at that so i'm going to jump over to a different vault now i'm going to go to my rbac vault as you may have guessed if i go to access policy now what we can actually see is my permission model is now azure role-based access control this is in preview right now and you can see well there's there's no permissions to set here instead i go to access control there's a whole bunch of different roles that can apply you can see there's like keyboard crypto officer service encryption reader secrets officer secrets user a whole batch you can all see there in preview these are all doing things that kind of the data plane so i could do a role assignment at this level and just you can understand what this is doing if we look at like secrets user and look at the permissions we can see it's using the key vault resource provider then within there we see the different types of asset we can have under the data plane so i'm down here at the bottom so here we can actually see well for secret it's got get secret and list or read secret so these are the built-in ones again i could create my own ones if i wanted to but i could also now go to particular secrets and i could see well for secret one it has its own access control i can assign roles here and for example this particular secret i gave bruce wayne and the keyboard secrets user if i go to my secret to again his own access control its own role assignment well here i gave both clark kent and the managed identity for a function i have funk app sav powershell so now that managed identity for that azure function could only read secret two and not secret one so if i make this a bit more interesting rather than just showing a user listing the secret what i actually did is i created the world's worst powershell function what i have done on this function is i turned on its managed identity so you can see that status is on and now basically in the function it's just a http trigger and all the code does is it gets passed in a name and it's going to try and read the secret from a hard-coded vault again this is not good code you can basically see i'm going to pass in a name and then i'm going to try and get the secret so i can just do a test run and remember it had access to secret two but we'll try secret one first so i'm changing the parameter i'm passing the function and hitting run so it's connecting connected and we would expect this one obviously to fail um now if it's not run for a little while remember this is serverless so it has to kind of um spin up and then it will actually run my piece of powershell so this might take two or 20 30 seconds because it's the first time oh and there we go it's responses well it's actually i need a secret it didn't actually like the values let's go back it didn't like what i typed in here oh i touched in a one that crept in so it messed up what it got paused so let's delete that i don't know how that actually got there let's run that again and we'll put in secret one and when i edited it i must have edited in the wrong place there we go all right so we run it again it'll be fast this time because it's already kind of warmed up in azure so this again we would expect to fail it should not have the permission to actually read secret one so it could not read secret one because remember it's only got permission to secret two so now if i change it to secret two and hit run i would expect this to work it should show me the value that's in that secret and it does it's actually reading in the value from the secret so what we're really seeing here is two things remember so i have a resource in my case it's an azure function that has a system assigned managed identity so it's using that managed identity to actually authenticate and that same managed identity as permission just to a particular secret so it can go and read it the one thing to just be careful of i assigned it directly to the managed identity but i absolutely could have just had a group within my azure ad and added the managed identity and other security principles to the group and then given the group permission to the secret and then i wouldn't have to add a role assignment for every single identity because there are a limit if today i actually go and look at the portal and we'll jump over again quickly when i go and actually do role assignments i can look at anything in the subscription i'll just look at the function itself there's a limit of two thousand so if i start to get super specific and create a role for every separate identity in my subscription i'm actually get close to kind of hitting that limit so we still want to be intelligent with how we actually assign those and we use groups if we can we want to streamline how we do those now the other thing i wanted to talk about actually two other things is this is all great i have all these things but i might have compliance requirements i might have compliance requirements on all of this content i might have regulatory guidance that says well you have to use these type of ciphers um secrets have to be changed every 30 days they must have an expiry time so what we can actually now do is on top of all of this remember on all of azure we have the azure resource manager so all of these communications are actually going through arm so we have the azure resource manager that's the the api that we talk through and as part of that we can kind of have very closely integrated azure policy so it doesn't matter if i'm using powershell portal cli restful interface arm template it's going to pass through the policy so what we could actually now do is there were policies related to azure keyboard so if we jump over and let's go and look at azure policy for a second what we can see is if we look at well firstly you can already see well i've got this compliance error the secret should have expiration and i have some that don't so straight away you can kind of see oh okay there's something going on here i have two volts that are non-compliant and i could go and select it and actually see i have secrets here that are out of compliance of this policy so now i can actually jump over and i could actually view the definition so the definition is saying hey remember now we understand these kind of resources and i have a policy rule that for secrets then it must have and expire on so if all of these are basically true ie is a secret and the expires on does not exist then i can have an effect now in my case my effect is just an audit i'm not actually blocking or doing a deny but you can pass that effect as a parameter so in the assignment you can actually configure well what is that and my default value again is audit but there are many others if we go and look at our definitions we can search on things like um secret or i can see secrets should have a content type they should have an expiration date should have more than a specified number of somethings so look days before expiration um longer than a specified number of days so i can pass those parameters how many days for example um i want in there there are also ones around keys and there are also there's a lot of other things that have key vault um key in the name we can see there's preview ones at the bottom and also we'll see ones around certificate so you can kind of go and poke around and why i keep selecting the other box that's driving me nuts but you can see there's all of these policies as well so they're now built in and that's all around designing to help it easier for me to track the compliance kind of of my keyboard now the only other thing i'd kind of mention if we're trying to track hey secrets is for my application for example imagine the secret was updated and i kind of want to know there's been a new shed access signature so the other thing that we can now actually do is this ain't called event grid event grid is all around the idea that okay so i have my event grid and i can have a whole bunch of kind of event sources so this is going to generate events and there's nearly every type of resource in azure can be an event source but one of them is now keyboard on the other side we kind of have event handlers so these can receive the events and do something so this could be a logic app this could be a function this could be an azure automation it could be some other kind of kind of web hook http something else and what will happen here is event grid when it gets these in will fire off to these things so the benefit here is it's kind of a push to these things instead of these things having to do a pull they have to pull constantly hey do you have something for me do you have saying it's called a hammer pole constantly send you have you got signed yet this can also do things like well i could add filters so i'll only get told about the specifics i care about it can do things like retry it brings this centralized viewing together for all of these different sources so the key point is now key vault can be one of those i can use it to actually tell my app something's happened for example a secret has changed it just kind of brings everything together so that's what i'm going to cover today just make sure you're aware of kind of these new capabilities um that exist as always i hope this was useful and until next time take care you
Info
Channel: John Savill's Technical Training
Views: 5,662
Rating: undefined out of 5
Keywords: azure, azure cloud, azure key vault, rbac, azure policy, event grid
Id: oYzFWOrZMKc
Channel Id: undefined
Length: 20min 13sec (1213 seconds)
Published: Thu Oct 29 2020
Related Videos
Azure Key Vault Deep Dive (AZ-500)
John Savill's Technical Training
16K
Azure Key Vault Tutorial | Secure secrets, keys and certificates easily
Adam Marczak - Azure for Everyone
93K
Azure Storage and Disk Encryption Deep Dive
John Savill's Technical Training
7.1K
Azure AD App Registrations, Enterprise Apps and Service Principals
John Savill's Technical Training
56K
Azure Infrastructure State of the Union 2021
John Savill's Technical Training
7.2K
Securing Kubernetes Secrets with Azure Key Vault
Zoom Speaks Tech
3.5K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Zone to Zone Disaster Recovery with Azure Site Recovery | Azure Friday
Microsoft Azure
6.1K
Microsoft Azure Master Class Part 3 - Governance
John Savill's Technical Training
27K
Microsoft Peering vs Private Peering and Private Link for Azure PaaS Access from On-premises
John Savill's Technical Training
10K
Microsoft Azure Master Class Part 11 - Infrastructure as Code, GIT and DevOps
John Savill's Technical Training
17K
Microsoft Azure Master Class Part 6 - Networking
John Savill's Technical Training
57K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
AZ-104 Microsoft Azure Administrator Associate Certification SUPER Study Cram
John Savill's Technical Training
51K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.