Azure Arc resource bridge (preview) security overview
This article describes the security configuration and considerations you should evaluate before deploying Azure Arc resource bridge (preview) in your enterprise.
Using a managed identity
By default, an Azure Active Directory system-assigned managed identity is created and assigned to the Azure Arc resource bridge (preview). Azure Arc resource bridge currently supports only a system-assigned identity. The
clusteridentityoperator identity initiates the first outbound communication and fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure.
Identity and access control
Azure Arc resource bridge (preview) is represented as a resource in a resource group inside an Azure subscription. Access to this resource is controlled by standard Azure role-based access control. From the Access Control (IAM) page in the Azure portal, you can verify who has access to your Azure Arc resource bridge (preview).
Users and applications who are granted the Contributor or Administrator role to the resource group can make changes to the resource bridge, including deploying or deleting cluster extensions.
Azure Arc resource bridge follows data residency regulations specific to each region. If applicable, data is backed up in a secondary pair region in accordance with data residency regulations. Otherwise, data resides only in that specific region. Data isn't stored or processed across different geographies.
Data encryption at rest
Azure Arc resource bridge stores resource information in Azure Cosmos DB. As described in Encryption at rest in Azure Cosmos DB, all the data is encrypted at rest.
Security audit logs
The activity log is an Azure platform log that provides insight into subscription-level events. This includes tracking when the Azure Arc resource bridge is modified, deleted, or added. You can view the activity log in the Azure portal or retrieve entries with PowerShell and Azure CLI. By default, activity log events are retained for 90 days and then deleted.