Detections
Analytics

9.3.7 Ensure that Public Network Access when using Private Endpoint is disabled

Information

When Private endpoint is configured on a Key Vault, connections from Azure resources within the same subnet will use its private IP address. However, network traffic from the public internet can still flow connect to the Key Vault's public endpoint (mykeyvault.vault.azure.net) using its public IP address unless Public network access is set to "Disabled".

Setting the Public network access to "Disabled" with a Private Endpoint will remove the Vault's public endpoint from Azure public DNS, reducing its exposure to the public internet. Network traffic will use the Vault private endpoint IP address for all requests (mykeyvault.vault.privatelink.azure.net).

Removing a point of interconnection from the internet edge to your Key Vault can strengthen the network security boundary of your system and reduce the risk of exposing the control plane or vault objects to untrusted clients.

Although Azure resources are never truly isolated from the public internet, disabling the public endpoint removes a line of sight from the public internet and increases the effort required for an attack.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remediate from Azure Portal

Key Vaults can be configured to use Azure role-based access control on creation.

For existing Key Vaults:

 - From Azure Home open the Portal Menu in the top left corner
 - Select Key Vaults
 - Select a Key Vault to audit
 - Select Networking
 - NEXT

Remediate from Azure CLI

To disable Public network access for each Key Vault, run the following Azure CLI command:

az keyvault update --resource-group <resource_group> --name <vault_name> --public-network-access Disabled

Remediate from PowerShell

To enable RBAC authorization on each Key Vault, run the following PowerShell command:

Update-AzKeyVault -ResourceGroupName <resource_group> -VaultName <vault_name> -PublicNetworkAccess "Disabled"

Impact:

Implementation needs to be properly designed from the ground up, as this is a fundamental change to the network architecture of your system. It will increase the configuration effort and decrease the usability of the Key Vault, and is appropriate for workloads where security is the primary consideration.

See Also

https://workbench.cisecurity.org/benchmarks/19304

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), 800-53|MP-2, CSCv7|14.6

Plugin: microsoft_azure

Control ID: 6295fc20beaa182c072846c55d0a4a35c0ac816b5a7454b03595f23e5b6c1205