π‘οΈ Azure Key Vault Public Network Access is enabledπ’
- Contextual name: π‘οΈ Public Network Access is enabledπ’
- ID:
/ce/ca/azure/key-vault/public-network-access - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
- π Azure Key Vault
- π Azure Key Vault - object.extracts.yaml
- π§ͺ test-data.json
Descriptionβ
Descriptionβ
This policy identifies Azure Key Vaults where public network access is not disabled to reduce exposure to the internet and minimize the risk of unauthorized access. Access to Azure Key Vault should be restricted to trusted networks using private endpoints.
Disabling public network access removes the key vaultβs public endpoint from Azure public DNS. With a private endpoint in place, all traffic is routed through the private endpoint using the private DNS name (
mykeyvault.vault.privatelink.azure.net), ensuring access occurs only within trusted network boundaries.When a private endpoint is configured for a key vault, Azure resources within the associated virtual network connect to the vault using a private IP address. However, unless public network access is explicitly disabled, the key vault remains reachable via its public endpoint (
mykeyvault.vault.azure.net) over the internet.Rationaleβ
Disabling public network access improves security by ensuring that a service is not exposed on the public internet.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
- Go to
Key vaults.- Click the name of a key vault.
- Under
Settings, clickNetworking.- Under
Firewalls and virtual networks, next toAllow access from:, click the radio button next toDisable public access.- Click
Apply.- Repeat steps 1-5 for each key vault requiring remediation.
From Azure CLIβ
For each key vault requiring remediation, run the following command to disable public network access:
az keyvault update --resource-group <resource-group> --name <key-vault> --public-network-access DisabledFrom PowerShellβ
For each key vault requiring remediation, run the following command to disable public network access:
Update-AzKeyVault -ResourceGroupName <resource-group> -VaultName <vault-name> -PublicNetworkAccess "Disabled"
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ CIS Azure v5.0.0 β πΌ 8.3.7 Ensure Public Network Access is Disabled (Automated) | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 68 | no data |