Detections
Analytics

Ensure that public access is disabled in Azure Key Vault

MEDIUM

Description

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice. For a service such as Azure Key Vault, disallowing this access also helps protect the services that utilize keys, secrets, and certificates. In addition, this can help a company adhere to compliance and regulatory requirements.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Key Vaults.
  2. Choose the Key vault you wish to edit.
  3. Under Settings, select Networking.
  4. On the Firewalls and virtual networks tab, set 'Allow access from' to the 'Disable public access' option.

In Terraform -

  1. In the azurerm_key_vault resource, set the public_network_access_enabled field to false.

References:
https://learn.microsoft.com/en-us/azure/key-vault/general/overview
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault

Policy Details

Rule Reference ID: AC_AZURE_0292
CSP: Azure
Remediation Available: Yes
Domain: Infrastructure Security
Resource: azurerm_key_vault
Resource Category: Management
Resource Type: Key Vault

Frameworks