Issue:
When scanning Azure subscriptions, results for the "Key Expiration Enabled" plugins are shown as "Unknown" with the message:
"Unable to query for Keys: An error occurred while retrieving service data".
Solution:
For Aqua CSPM to properly scan Key Vaults in Azure, a two-way trust is required:
- "Key Vault Contributor" Permission for the Active Directory application
- Access policy attached directly to the Key Vaults
Steps:
- Log into Azure and locate the Subscription
- Select "Access Control (IAM)"
- Select "Add" > "Add Role Assignment"
- From "Role" select "Key Vault Contributor"
- From "Select" search for the name of the application (e.g. "cloudsploit")
- Select "Save" to save the permissions.
- Navigate to the "Key Vault" service
- For each vault, select the vault name
- Under "Settings" select the "Access Policies" blade
- Select "Add an Access Policy"
- Under "Key Permissions," "Secret Permissions," and "Certificate Permissions," select "List"
- Under "Select service principal" select the name of the application (e.g. "cloudsploit")
- Select "Add"
- Repeat for the remaining key vaults.