Skip to main content

πŸ“ Azure Key Vault Private Endpoints are not used 🟒

  • Contextual name: πŸ“ Private Endpoints are not used 🟒
  • ID: /ce/ca/azure/key-vault/private-endpoints-use
  • Located in: πŸ“ Azure Key Vault

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-807a37c9

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-807a37c91

Logic​

Description​

Open File

Description​

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

Rationale​

Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.

Impact​

Incorrect or poorly-timed changing of network configuration could result in service interruption. There are also additional costs tiers for running a private endpoint per petabyte or more of networking traffic.

Audit​

From Azure Portal​
  1. From Azure Home open the Portal Menu in the top left.
  2. Select Key Vaults.
  3. Select a Key Vault to audit.
  4. Select Networking in the left column.
  5. Select Private endpoint connections from the top row.
  6. View if there is an endpoint attached.

... see more

Remediation​

Open File

Remediation​

Please see the additional information about the requirements needed before starting this remediation procedure.

From Azure Portal​

  1. From Azure Home open the Portal Menu in the top left.
  2. Select Key Vaults.
  3. Select a Key Vault to audit.
  4. Select Networking in the left column.
  5. Select Private endpoint connections from the top row.
  6. Select + Create.
  7. Select the subscription the Key Vault is within, and other desired configuration.
  8. Select Next.
  9. For resource type select Microsoft.KeyVault/vaults.
  10. Select the Key Vault to associate the Private Endpoint with.
  11. Select Next.
  12. In the Virtual Networking field, select the network to assign the Endpoint.
  13. Select other configuration options as desired, including an existing or new application security group.
  14. Select Next.
  15. Select the private DNS the Private Endpoints will use.
  16. Select Next.
  17. Optionally add Tags.
  18. Select Next : Review + Create.
  19. Review the information and select Create. Follow the Audit Procedure to determine if it has successfully applied.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16d secure design, architecture and consultation;11
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 55 In order to minimise the risk of compromise, an end-to-end approach would typically be adopted, where encryption is applied from the point-of-entry to final destination.11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 8.7 Ensure that Private Endpoints are Used for Azure Key Vault - Level 2 (Manual)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 8.7 Ensure that Private Endpoints are Used for Azure Key Vault - Level 2 (Manual)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 8.7 Ensure that Private Endpoints are Used for Azure Key Vault - Level 2 (Manual)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.3.7 Ensure that Private Endpoints are Used for Azure Key Vault (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1139
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)39
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3539
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3537