π‘οΈ Azure Key Vault Private Endpoints are not usedπ’
- Contextual name: π‘οΈ Private Endpoints are not usedπ’
- ID:
/ce/ca/azure/key-vault/private-endpoints-use - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- Internal:
dec-x-807a37c9
Similar Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-807a37c9 | 1 |
Descriptionβ
Descriptionβ
Use private endpoints to allow clients and services to securely access data over a network via an encrypted Private Link. The private endpoint uses an IP address from the VNet for each service, and traffic between services is encrypted over the VNet. A VNet can also extend address space to enable access to resources and can provide a tunnel through public networks to connect remote infrastructure. This adds security by segmenting network traffic and preventing outside sources from accessing it.
Private endpoints secure network traffic between Azure Key Vault and the resources requesting secrets and keys.
Rationaleβ
Securing traffic between services through encryption protects the data from easy interception and reading.
Private endpoints limit Azure Key Vault access to endpoints attached to approved resources. Assigning the Key Vault to a network without an endpoint can allow other resources on that network to view traffic from the Key Vault to its destination. Despite the configuration complexity, this is recommended for high-security secrets.
... see more
Remediationβ
Remediationβ
Please see the additional information about the requirements needed before starting this remediation procedure.
From Azure Portalβ
- In the Azure portal, open the portal menu in the upper-left corner.
- Select
Key Vaults.- Select a Key Vault to configure.
- Select
Networkingin the left column.- Select
Private endpoint connectionsfrom the top row.- Select
+ Create.- Select the subscription the Key Vault is in, and any other configuration options.
- Select
Next.- For resource type, select
Microsoft.KeyVault/vaults.- Select the Key Vault to associate the Private Endpoint with.
- Select
Next.- In the
Virtual Networkingfield, select the network to assign to the endpoint.- Select other configuration options as desired, including an existing or new application security group.
- Select
Next.- Select the private DNS that the private endpoint will use.
- Select
Next.- Optionally add
Tags.- Select
Next: Review + Create.- Review the information and select
Create. Follow the Audit procedure to verify that the configuration applied successfully.... see more