Before Lab 1.2 — Management Plane and Data Plane
Before Lab 1.2 — Management Plane and Data Plane
In Lab 1.1, you discovered that the backend managed identity has broad access.
In Lab 1.2, you will test the impact of that access.
Before doing that, we need one important cloud security distinction:
management plane
versus
data planeManagement plane
The management plane is about managing the Azure resource itself.
Examples:
- create a resource
- delete a resource
- change configuration
- restart an App Service
- update tags
- change deployment settings
- configure diagnostics
These actions manage the infrastructure.
Data plane
The data plane is about accessing the data inside a resource.
Examples:
- read a Key Vault secret value
- download a blob from a Storage Account
- query database rows
- read queue messages
These actions access the content handled by the service.
Visual model
Tips
For a full list of Role definitions for Azure RBAC you can use this website AzAdvertizer.
You can search on data plane to get a clear overview, these are also perfect as starting points for making your own custom role defintions.
Why this matters
An identity can have broad management-plane access and still not have the correct data-plane access.
For example:
Contributor on the resource groupcan allow broad management actions on resources in that resource group.
But that does not automatically mean:
read Key Vault secret valueReading a Key Vault secret requires a suitable Key Vault data-plane permission.
For example:
Key Vault Secrets UserWhat to test in Lab 1.2
In the lab, you will test two things.
| Test | What it proves |
|---|---|
| Can the backend modify an Azure resource? | The identity has management-plane access |
| Can the backend read the Key Vault secret? | The identity has or lacks data-plane access |
Key idea
Broad access is not the same as correct access.