This document goes over how to configure Azure RBAC providing fine-grained access to Azure Resources and visibility in Prisma Cloud.
With Azure RBAC, you can create a role definition that outlines the permissions to be applied to Prisma Cloud app registrations. This article specifically addresses the application of Azure RBAC predefined roles to manage access to Azure resources.
Azure Resources offers two authorization systems such as Azure Role Based Access Control and an access policy model.
Azure RBAC has several built-in roles you can assign to service principals and managed identities.
The Prisma Cloud role created for Azure ingestion with Terraform currently utilizes the access policy module, requiring the addition of permissions one at a time. Azure recommends leveraging role-based Azure RBAC, which enables configuring permissions for Prisma Cloud using pre-defined Azure roles containing a set of permissions. With Azure RBAC, any updates to the role's permissions automatically apply without the need for manual adjustments.
Prisma Cloud ingests and processes data from your cloud account environment and initiates resource monitoring. Customers can leverage the three options below to onboard Azure tenants or subscriptions.
Please Note: Confirm that you have account owner or contributor privileges to add your Prisma Cloud-created application to Azure Account Directory.
To ingest Azure Resources, both Get and List Permissions are enabled in the key management Operations on the Azure Portal.
Assigning an Azure Access Policy to a Key Vault using the Azure portal involves granting permissions to specific operations (like read or write) on the Key Vault resources.
Figure 1: Adding Access Policy to Resource_palo-alto-networks
Figure 2: Access Policies_palo-alto-networks
Figure 3: RBAC RQL Prisma Cloud_palo-alto-networks
Figure 4: Resource JSON output_palo-alto-networks
Azure RBAC is an authorization system that provides fine-grained access management to Azure Resources. The way you control access to resources using Azure RBAC is to assign Azure roles that contain three elements: security principle, role definition, and scope.
To assign the "Azure Key Vault Reader" role to a principal for accessing Azure Key Vault resources through the Azure portal, follow these steps:
Figure 5: Switching from Access Policy to Azure RBAC_palo-alto-networks
Figure 6: Azure RBAC Roles_palo-alto-networks
Figure 7: Adding members to Azure RBAC role_palo-alto-networks
Least privilege is particularly important when using Azure RBAC. If Azure Policies are configured to restrict public access, and Azure RBAC is used to assign roles, switching to Azure RBAC without considering the policies may result in the above violation.
Figure 8: Azure RBAC Policy Violation_palo-alto-networks
If running into the above violation, please allow Public Access from Specific virtual networks and IP Addresses. The NAT address used will depend on the region that your Prisma Cloud instance is hosted in. Your region can be found by looking at the URL when you log in.
For example, https://app2.prismacloud.io/ The "app2" in the address indicates your Prisma Cloud tenant region.
A list of NAT addresses that map to these regions is located at this link: Prisma Cloud Regional NAT Address List.
Figure 9: Adding Private IPs_palo-alto-networks
Azure RBAC assigned to Azure Resources can be validated using Prisma Cloud Inventory Config or running RQL using properties.enableRbacAuthorization flag True.
Figure 10: Azure RBAC Role Assignments_palo-alto-networks
Figure 11: RBAC RQL Prisma Cloud_palo-alto-networks
Azure RBAC predefined roles are now available for users to effectively manage access to Azure resources for Prisma Cloud Azure API ingestion. Using Azure RBAC simplifies managing the permissions required for Prisma Cloud to access and ingest the Azure resources you are looking for Prisma Cloud to access.
Instead of an expansive file of permissions, you have a set of access roles with predefined permissions policies. Each of these policies contains specific permissions. For example, a policy may include a Key Vault Reader role ( Read metadata of key vaults and its certificates, keys, and secrets). Those policy roles are updated by Azure, so as the scope of a permission increases, Prisma Cloud will automatically get the necessary permissions to support the Azure APIs.
It is important to note that the adoption of Azure RBAC (Role-Based Access Control) for permission management on Azure resources does not directly impact Prisma Cloud users.
While introducing Azure RBAC predefined roles empowers users with efficient access management for Azure resources, it's crucial to recognize that the implementation of Azure RBAC does not directly impact Prisma Cloud users' permissions. Therefore, while Azure RBAC offers enhanced control within the Azure ecosystem, its adoption does not alter the access management mechanisms specific to Prisma Cloud users.
Azure role-based access control (Azure RBAC) vs. access policies (legacy)
Srikanth Makineni is a Customer Success consultant specializing in Cloud Security Posture Management, Azure, AWS, GCP, containers, and Kubernetes. Srikanth uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverages his multi-industry knowledge to inspire success.
