Skip to main content

πŸ›‘οΈ Azure Key Vault Private Endpoints are not used🟒

  • Contextual name: πŸ›‘οΈ Private Endpoints are not used🟒
  • ID: /ce/ca/azure/key-vault/private-endpoints-use
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

  • Internal: dec-x-807a37c9

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-807a37c91

Description​

Open File

Description​

Use private endpoints to allow clients and services to securely access data over a network via an encrypted Private Link. The private endpoint uses an IP address from the VNet for each service, and traffic between services is encrypted over the VNet. A VNet can also extend address space to enable access to resources and can provide a tunnel through public networks to connect remote infrastructure. This adds security by segmenting network traffic and preventing outside sources from accessing it.

Private endpoints secure network traffic between Azure Key Vault and the resources requesting secrets and keys.

Rationale​

Securing traffic between services through encryption protects the data from easy interception and reading.

Private endpoints limit Azure Key Vault access to endpoints attached to approved resources. Assigning the Key Vault to a network without an endpoint can allow other resources on that network to view traffic from the Key Vault to its destination. Despite the configuration complexity, this is recommended for high-security secrets.

... see more

Remediation​

Open File

Remediation​

Please see the additional information about the requirements needed before starting this remediation procedure.

From Azure Portal​

  1. In the Azure portal, open the portal menu in the upper-left corner.
  2. Select Key Vaults.
  3. Select a Key Vault to configure.
  4. Select Networking in the left column.
  5. Select Private endpoint connections from the top row.
  6. Select + Create.
  7. Select the subscription the Key Vault is in, and any other configuration options.
  8. Select Next.
  9. For resource type, select Microsoft.KeyVault/vaults.
  10. Select the Key Vault to associate the Private Endpoint with.
  11. Select Next.
  12. In the Virtual Networking field, select the network to assign to the endpoint.
  13. Select other configuration options as desired, including an existing or new application security group.
  14. Select Next.
  15. Select the private DNS that the private endpoint will use.
  16. Select Next.
  17. Optionally add Tags.
  18. Select Next: Review + Create.
  19. Review the information and select Create. Follow the Audit procedure to verify that the configuration applied successfully.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16d secure design, architecture and consultation;11no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 55 In order to minimise the risk of compromise, an end-to-end approach would typically be adopted, where encryption is applied from the point-of-entry to final destination.11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 8.7 Ensure that Private Endpoints are Used for Azure Key Vault - Level 2 (Manual)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 8.7 Ensure that Private Endpoints are Used for Azure Key Vault - Level 2 (Manual)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 8.7 Ensure that Private Endpoints are Used for Azure Key Vault - Level 2 (Manual)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.3.7 Ensure that Private Endpoints are Used for Azure Key Vault (Automated)1no data
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 9.3.8 Ensure that Private Endpoints are Used for Azure Key Vault (Automated)1no data
πŸ’Ό CIS Azure v5.0.0 β†’ πŸ’Ό 8.3.8 Ensure Private Endpoints are used to access Azure Key Vault (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access75no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1163no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)63no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3763no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3638no data