Ensure that Private Endpoints are Used for Azure Key Vault
Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.
Risk Level: Medium
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.NET.69
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
KeyVault should have privateEndpointConnections contain [ privateLinkServiceConnectionState.status='Approved' ]
REMEDIATION
From Portal
- Go to 'Key Vaults'.
- Select a Key Vault to audit and Select Networking in the left column.
- Select Private endpoint connections from the top row and + Create.
- Select the subscription the Key Vault is within, and other desired configuration.Select Next.
- For resource type select Microsoft.KeyVault/vaults.
- Select the Key Vault to associate the Private Endpoint with and Click Next.
- In the Virtual Networking field, select the network to assign the Endpoint.
- Select other configuration options as desired, including an existing or new application security group and Click Next.
- Select the private DNS and Select Next.Optionally add Tags.
- Select Next : Review + Create.
From TF
Use below code to create Private Endpoint for Storage Account:
resource "azurerm_private_endpoint" "exampleKV" {
name = "example-endpoint"
location = Location
resource_group_name = Resource Group
subnet_id = Subnet ID
private_service_connection {
name = "example-privateServiceConnection"
private_connection_resource_id = Private Connection ID
is_manual_connection = false
}
From Command Line
To create an endpoint, run the following command:
az network private-endpoint create --resource-group RESOURCEGROUP --vnet-name VNET --subnet SUBNET --name PRIVATE-ENDPOINT --private-connection-resource-id ID --group-ids vault --connection-name PRIVATE-LINK-CONNECTION --location LOCATION --manual-request
References
- https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview
- https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal
- https://learn.microsoft.com/en-us/cli/azure/network/private-endpoint?view=azure-cli-latest#az-network-private-endpoint-create
Azure Key Vault
Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn���t see or extract your keys. Monitor and audit your key use with Azure logging���pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threa
Compliance Frameworks
- AZU PCI-DSS 4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated about 1 year ago