π Azure Key Vault Public Network Access when using Private Endpoint is enabled π’
- Contextual name: π Public Network Access is enabled π’
- ID:
/ce/ca/azure/key-vault/public-network-access - Located in: π Azure Key Vault
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
- π Azure Key Vault
- π Azure Key Vault - object.extracts.yaml
- π§ͺ test-data.json
Descriptionβ
Descriptionβ
When Private endpoint is configured on a Key Vault, connections from Azure resources within the same subnet will use its private IP address. However, network traffic from the public internet can still flow connect to the Key Vaultβs public endpoint (mykeyvault.vault.azure.net) using its public IP address unless Public network access is set to βDisabledβ.
Setting the Public network access to βDisabledβ with a Private Endpoint will remove the Vaultβs public endpoint from Azure public DNS, reducing its exposure to the public internet. Network traffic will use the Vault private endpoint IP address for all requests (mykeyvault.vault.privatelink.azure.net).
Rationaleβ
Removing a point of interconnection from the internet edge to your Key Vault can strengthen the network security boundary of your system and reduce the risk of exposing the control plane or vault objects to untrusted clients.
Although Azure resources are never truly isolated from the public internet, disabling the public endpoint removes a line of sight from the public internet and increases the effort required for an attack.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
Key Vaults can be configured to use
Azure role-based access controlon creation.For existing Key Vaults:
- From Azure Home open the Portal Menu in the top left corner
- Select
Key Vaults- Select a Key Vault to audit
- Select
Networking- NEXT
From Azure CLIβ
To disable Public network access for each Key Vault, run the following Azure CLI command:
az keyvault update --resource-group <resource_group> --name <vault_name> --public-network-access DisabledFrom PowerShellβ
To enable RBAC authorization on each Key Vault, run the following PowerShell command:
Update-AzKeyVault -ResourceGroupName <resource_group> -VaultName <vault_name> -PublicNetworkAccess "Disabled"
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v4.0.0 β πΌ 9.3.7 Ensure that Public Network Access when using Private Endpoint is disabled (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 53 |