Enabling Azure Resources with RBAC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L1 Bithead
No ratings

By Srikanth Makineni, Customer Success Engineer

 

Overview

 

This document goes over how to configure Azure RBAC providing fine-grained access to Azure Resources and visibility in Prisma Cloud.

 

With Azure RBAC, you can create a role definition that outlines the permissions to be applied to Prisma Cloud app registrations. This article specifically addresses the application of Azure RBAC predefined roles to manage access to Azure resources. 

 

Azure Resources offers two authorization systems such as Azure Role Based Access Control and an access policy model. 

 

Azure RBAC has several built-in roles you can assign to service principals and managed identities. 

 

  • Azure Resources authorized by access policy model 
  • Azure Resources authorized by Azure RBAC (Recommended Authorization)

 

The Prisma Cloud role created for Azure ingestion with Terraform currently utilizes the access policy module, requiring the addition of permissions one at a time. Azure recommends leveraging role-based Azure RBAC, which enables configuring permissions for Prisma Cloud using pre-defined Azure roles containing a set of permissions. With Azure RBAC, any updates to the role's permissions automatically apply without the need for manual adjustments.

 

1. Azure subscription or tenant Onboarded to Prisma Cloud

 

Prisma Cloud ingests and processes data from your cloud account environment and initiates resource monitoring. Customers can leverage the three options below to onboard Azure tenants or subscriptions. 

 

  • Terraform (recommended)
  • Using Custom Role JSON
  • Manually Authorizing Prisma cloud

 

Please Note: Confirm that you have account owner or contributor privileges to add your Prisma Cloud-created application to Azure Account Directory.

 

2. Enable Prisma Cloud to ingest Azure Resources using Access Policies

 

To ingest Azure Resources, both Get and List Permissions are enabled in the key management Operations on the Azure Portal.

 

Steps to Assign Access Policies to Azure Resources

 

Assigning an Azure Access Policy to a Key Vault using the Azure portal involves granting permissions to specific operations (like read or write) on the Key Vault resources. 

 

  1. Navigate to the Azure Portal:
    • Open your web browser and go to the Azure Portal.

 

  1. Select the Key Vault: 
    • In the left sidebar, navigate to "All services" > "Key vaults."
    • Click on the name of the desired Key Vault

 

  1. Access the Access Control (IAM) Section:
    • In the Key Vault menu, scroll down to the "Settings" section.
    • Under the "Settings" section, click on "Access control (IAM)."

 

  1. Add Access Policy
    • In the "Access control (IAM)" section, click on the "Add Access Policy" button, and configure based on requirements.  
    • Key permissions, Secret permissions, and Certificate permissions: Alternatively, you can select individual permissions based on your needs.  
    • Principal: Specify the user, group, or application to which you want to grant these permissions. 
    •  Key, Secret, Certificate: Choose the specific resource type for which you want to grant permissions.

 

  1. Navigate to the Azure Portal:
    • Review the configured access policy to ensure it's correct.
    • Click the "Add" button to save and apply the access policy.

 

RPrasadi_0-1714523604696.png

Figure 1: Adding Access Policy to Resource_palo-alto-networks

 

RPrasadi_1-1714523647980.jpeg

Figure 2: Access Policies_palo-alto-networks

 

Test Azure Access Policy and Resource Data

 

  1. Login into Prisma Cloud 
  2. Azure Key vault json data can be accessed using Prisma Cloud Inventory or running RQL using properties.enableRbackAuthorization flag.

 

RPrasadi_2-1714523725666.jpeg

Figure 3: RBAC RQL Prisma Cloud_palo-alto-networks

 

RPrasadi_3-1714523783678.jpeg

Figure 4: Resource JSON output_palo-alto-networks

 

3. Azure RBAC. Enable Prisma Cloud to ingest Azure Resources using RBAC

 

Azure RBAC is an authorization system that provides fine-grained access management to Azure Resources. The way you control access to resources using Azure RBAC is to assign Azure roles that contain three elements: security principle, role definition, and scope.

 

Steps to Assign Access Policies to Azure Resources

To assign the "Azure Key Vault Reader" role to a principal for accessing Azure Key Vault resources through the Azure portal, follow these steps:

 

  1. Navigate to the Azure Portal:
    • Open your web browser and go to the Azure Portal.

 

  1. Select the Key Vault:
    • In the left sidebar, navigate to "All services" > "Key vaults."
    •  Click on the name of the desired Key Vault.

 

  1. Access the Access Control (IAM) Section:  
    • In the Key Vault menu, scroll down to the "Settings" section.
    • Under the "Settings" section, click on "Access control (IAM)."

 

  1. Add Role Assignment: 
    • Click the "+ Add" button to add a role assignment. 
    • In the "Add role assignment" pane, select the "Reader" role. This role grants read-only access to Key Vault resources. 
    • In the "Members" section, specify the user or group to whom you want to assign the role. You can search for the user by name or email.

 

  1. Review and Save: 
    •  Review the configuration to ensure it's correct. 
    •  Click the "Save" button to apply the role assignment.

 

RPrasadi_4-1714523836810.jpeg

Figure 5: Switching from Access Policy to Azure RBAC_palo-alto-networks

 

RPrasadi_5-1713910770256.jpeg

Figure 6: Azure RBAC Roles_palo-alto-networks

 

RPrasadi_6-1713910768787.jpeg

Figure 7: Adding members to Azure RBAC role_palo-alto-networks

 

RBAC Least Privilege. Public Access Differences between Access Policies and Azure RBAC

 

Least privilege is particularly important when using Azure RBAC. If Azure Policies are configured to restrict public access, and Azure RBAC is used to assign roles, switching to Azure RBAC without considering the policies may result in the above violation.

 

RPrasadi_7-1713910768814.jpeg

Figure 8: Azure RBAC Policy Violation_palo-alto-networks

 

If running into the above violation, please allow Public Access from Specific virtual networks and IP Addresses. The NAT address used will depend on the region that your Prisma Cloud instance is hosted in. Your region can be found by looking at the URL when you log in. 

 

For example, https://app2.prismacloud.io/  The "app2" in the address indicates your Prisma Cloud tenant region.

A list of NAT addresses that map to these regions is located at this link: Prisma Cloud Regional NAT Address List.

 

RPrasadi_5-1714523992197.jpeg

 Figure 9: Adding Private IPs_palo-alto-networks

 

Verify Azure RBAC 

 

  1. Login into Prisma Cloud 
  2. Azure Key vault and attributes can be accessed using Prisma Cloud Inventory or running RQL using properties.enableRbacAuthorization flag True to indicate that Azure RBAC is configured. 

 

Azure RBAC assigned to Azure Resources can be validated using Prisma Cloud Inventory Config or running RQL using properties.enableRbacAuthorization flag True.

 

RPrasadi_6-1714524063924.jpeg

Figure 10: Azure RBAC Role Assignments_palo-alto-networks

 

RPrasadi_7-1714524123647.jpeg

Figure 11: RBAC RQL Prisma Cloud_palo-alto-networks

 

Conclusion

 

Azure RBAC predefined roles are now available for users to effectively manage access to Azure resources for Prisma Cloud Azure API ingestion.  Using Azure RBAC simplifies managing the permissions required for Prisma Cloud to access and ingest the Azure resources you are looking for Prisma Cloud to access.  

 

Instead of an expansive file of permissions, you have a set of access roles with predefined permissions policies. Each of these policies contains specific permissions. For example, a policy may include a Key Vault Reader role ( Read metadata of key vaults and its certificates, keys, and secrets).  Those policy roles are updated by Azure, so as the scope of a permission increases, Prisma Cloud will automatically get the necessary permissions to support the Azure APIs. 

 

It is important to note that the adoption of Azure RBAC (Role-Based Access Control) for permission management on Azure resources does not directly impact Prisma Cloud users.

While introducing Azure RBAC predefined roles empowers users with efficient access management for Azure resources, it's crucial to recognize that the implementation of Azure RBAC does not directly impact Prisma Cloud users' permissions. Therefore, while Azure RBAC offers enhanced control within the Azure ecosystem, its adoption does not alter the access management mechanisms specific to Prisma Cloud users.

 

Reference

 

Azure role-based access control (Azure RBAC) vs. access policies (legacy)


About the Author

 

Srikanth Makineni is a Customer Success consultant specializing in Cloud Security Posture Management, Azure, AWS, GCP, containers, and Kubernetes. Srikanth uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverages his multi-industry knowledge to inspire success. 

 

 

Rate this article:
(1)
  • 1845 Views
  • 0 comments
  • 2 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎11-08-2024 01:15 PM
Updated by: