False negatives for Azure 'Key Vault Role Based Access Control Disabled' rule

[rieck-srlabs]

Describe the bug

ScoutSuite's 'Key Vault Role Based Access Control Disabled' rule fails to flag certain Key Vaults that are using the Vault access policy permission model.

The problem is caused because the enableRbacAuthorization field can be true, false, or null, while ScoutSuite does not handle the null case appropriately.

The code sets the rbac_authorization_enabled flag to None if the API returns null:

    vault['public_access_allowed'] = self._is_public_access_allowed(raw_vault)
    vault['rbac_authorization_enabled'] = raw_vault.properties.enable_rbac_authorization
    return vault['id'], vault

However, the rule matches for false only:

    "conditions": [
        "and",
        [
            "keyvault.subscriptions.id.vaults.id.rbac_authorization_enabled",
            "false",
            ""
        ]
    ],

To Reproduce

Prepare environment: Create a Key Vault via the az CLI utility as follows:

# Note: Choose a unique name here
$ az keyvault create --resource-group 'key-vault-tests' --name 'key-vault-2fg28f22'

This sets enableRbacAuthorization = null:

$ az keyvault show --name 'key-vault-2fg28f22' | jq '.properties.enableRbacAuthorization'
null

The resulting Key Vault uses Vault access policy as its permission model, as can be seen in the following screenshot:

Execute ScoutSuite: Run ScoutSuite with the default parameters:

$ scout azure --cli

The results do not flag the key vault 'key-vault-2fg28f22':

Additional context

n/a

[rieck-srlabs]

Closing issue, as the fix was merged and is included in the latest release.