Profile Applicability:

  • Level 2

Description:
 Access Policies provide an Access Control List (ACL) functionality allowing administrators to define which identities or identity groups have access to what data and commands. This implements the Role-Based Access Control (RBAC) concept and requires careful deployment and ongoing management.

Rationale:
 Role-Based Access Control (RBAC) using Access Control Lists (ACLs) enforces the principle of least privilege by ensuring users and user groups only have the necessary access, preventing unnecessary access to resources. Periodic reviews ensure that the policies are up-to-date and relevant.

Impact:

  • Pros:

    • Enforces least privilege by ensuring that users only have the permissions necessary for their roles.

    • Prevents unnecessary access and mitigates potential security risks.

    • Enhances security posture through regular access reviews.

  • Cons:

    • Requires regular reviews and updates, which may be time-consuming depending on the environment's complexity.

    • Improperly implemented RBAC can lead to restricted access or unnecessary privilege escalation.

Default Value:

  • By default, no Access Policies are implemented.

Pre-requisites:

  • Access Control Lists (ACLs) and RBAC must be configured and tailored to the environment before policies are reviewed.

Remediation

Test Plan:

Using Azure Portal:

  1. Search for and open the Azure Cache for Redis service.

  2. Click on the name of the instance.

  3. Under Settings, select Data Access Configuration.

  4. Click on the Access Policies tab.

  5. Review the access policies to ensure they are implemented and periodically reviewed.

Using Azure CLI:

1. Run the following command to list the Access Policies:
az redis access-policy show --resource-group <resource-group-name> --name <cache-name>

2. Verify that the output contains the access policy details.

Implementation Plan:

Using Azure Portal:

  1. Navigate to Azure Cache for Redis.

  2. Select the instance, then go to Data Access Configuration.

  3. Click the Access Policies tab.

  4. Implement the necessary policies based on the principle of least privilege.

Using Azure CLI:

1. Run the following command to configure the Access Policies:

az redis access-policy set --resource-group <resource-group-name> --name <cache-name> --policy-name <policy-name>


Backout Plan:

Using Azure Portal:

  1. Navigate to Azure Cache for Redis.

  2. Select the instance and go to Data Access Configuration.

  3. Under Access Policies, remove or revert any changes that were implemented.

Using Azure CLI:

1. Use the following command to delete or revert an access policy:

az redis access-policy delete --resource-group <resource-group-name> --name <cache-name> --policy-name <policy-name>


References: