Before Lab 1.3 — Least Privilege and Correct Privilege
Before Lab 1.3 — Least Privilege and Correct Privilege
In the previous labs, you found and tested an incorrect permission model.
Now you will improve it.
The goal is not to remove all access.
The goal is to give the right access.
Least privilege
Least privilege means:
Give an identity only the permissions it needs to perform its task, and nothing more.
For the backend application, ask:
What does the backend actually need to do?If the answer is:
Read a secret from Key Vaultthen the backend does not need:
Contributor on the entire resource groupCorrect privilege
Correct privilege means the permission must match the actual task.
A narrow but correct permission is better than a broad but incorrect permission.
| Bad model | Better model |
|---|---|
| Contributor on resource group | Key Vault Secrets User on Key Vault |
| Broad management access | Specific data access |
| Access to many resources | Access to the required resource |
| Works by accident | Works by design |
The intended change
The fix is not:
give the backend more accessThe fix is:
remove the broad permission
add the specific permission
test both outcomesWhat to verify after the fix
After changing permissions, always test both sides.
| Test | Desired result after fix |
|---|---|
| Backend modifies its own Azure resource | Should fail |
| Backend reads required Key Vault secret | Should work |
Lab focus
A good security fix reduces unnecessary access without breaking the legitimate application flow.
Screenshot placeholders
Screenshot suggestion
Add a screenshot of the Terraform change.
Suggested screenshot:
main.tf or role assignment fileShow:
- the removal/commenting of the Contributor role assignment
- the addition of the Key Vault Secrets User role assignment
Screenshot suggestion
Add a screenshot of the Azure Portal after the fix.
Suggested screenshot:
Key Vault → Access control (IAM) → Role assignmentsHighlight the backend managed identity with Key Vault Secrets User.