Azure role-based access control (RBAC) restricts what actions users, groups, and service principals can perform on resources and should not be disabled.

Why is this an issue?

Role-Based Access Control (RBAC) is an authorization mechanism that limits what actions users, groups, and service principals can perform on Azure resources. When RBAC is disabled, broader, less targeted access policies may take effect, violating the principle of least privilege. Azure resources such as Kubernetes clusters and Key Vaults expose explicit properties to enable or disable RBAC; leaving these disabled removes a critical layer of access control that helps keep permissions maintainable, auditable, and easy to revoke during an incident.

What is the potential impact?

Unauthorized access

When RBAC is disabled, users or service principals may gain access to sensitive operations or data beyond what their role requires. An attacker who compromises any account with overly broad permissions can move laterally across the resource without fine-grained controls to limit the blast radius.

Impaired incident response

Without RBAC, revocations during a security incident must target broad access groups rather than specific roles, making it harder to contain a breach quickly.

How to fix it in Azure Kubernetes Service

Code examples

The following examples show resources with RBAC explicitly disabled. Enable RBAC by setting the relevant property to true (or its enabled equivalent).

For Azure Kubernetes Services:

Noncompliant code example

resource "azurerm_kubernetes_cluster" "example" {
  role_based_access_control {
    enabled = false # Noncompliant
  }
}

resource "azurerm_kubernetes_cluster" "example2" {
  role_based_access_control {
    enabled = true

    azure_active_directory {
      managed = true
      azure_rbac_enabled = false # Noncompliant
    }
  }
}

Compliant solution

resource "azurerm_kubernetes_cluster" "example" {
  role_based_access_control {
    enabled = true
  }
}

resource "azurerm_kubernetes_cluster" "example2" {
  role_based_access_control {
    enabled = true

    azure_active_directory {
      managed = true
      azure_rbac_enabled = true
    }
  }
}

How to fix it in Azure Key Vault

Code examples

The following examples show resources with RBAC explicitly disabled. Enable RBAC by setting the relevant property to true (or its enabled equivalent).

For Key Vaults since AzureRM provider 4.42.0:

Noncompliant code example

resource "azurerm_key_vault" "example" {
  rbac_authorization_enabled = false # Noncompliant
}

Compliant solution

resource "azurerm_key_vault" "example" {
  rbac_authorization_enabled = true
}

For Key Vaults before AzureRM provider 4.42.0:

Noncompliant code example

resource "azurerm_key_vault" "example" {
  enable_rbac_authorization = false # Noncompliant
}

Compliant solution

resource "azurerm_key_vault" "example" {
  enable_rbac_authorization = true
}

Resources

Documentation

• Azure Kubernetes Services
• Key Vaults

Standards

• CWE - CWE-668 - Exposure of Resource to Wrong Sphere
• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource