Ensure that Private Endpoints are Used for Azure Key Vault

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

Suggest Edits

Risk Level: Medium
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.NET.69
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

KeyVault should have privateEndpointConnections contain [ privateLinkServiceConnectionState.status='Approved' ]

REMEDIATION

From Portal

  1. Go to 'Key Vaults'.
  2. Select a Key Vault to audit and Select Networking in the left column.
  3. Select Private endpoint connections from the top row and + Create.
  4. Select the subscription the Key Vault is within, and other desired configuration.Select Next.
  5. For resource type select Microsoft.KeyVault/vaults.
  6. Select the Key Vault to associate the Private Endpoint with and Click Next.
  7. In the Virtual Networking field, select the network to assign the Endpoint.
  8. Select other configuration options as desired, including an existing or new application security group and Click Next.
  9. Select the private DNS and Select Next.Optionally add Tags.
  10. Select Next : Review + Create.

From TF
Use below code to create Private Endpoint for Storage Account:

resource "azurerm_private_endpoint" "exampleKV" {
	name                = "example-endpoint"
	location            = Location
	resource_group_name = Resource Group
	subnet_id           = Subnet ID
	
	private_service_connection {
		name                           = "example-privateServiceConnection"
		private_connection_resource_id = Private Connection ID
		is_manual_connection           = false
	}

From Command Line

To create an endpoint, run the following command:

az network private-endpoint create --resource-group RESOURCEGROUP --vnet-name VNET --subnet SUBNET --name PRIVATE-ENDPOINT --private-connection-resource-id ID --group-ids vault --connection-name PRIVATE-LINK-CONNECTION --location LOCATION --manual-request

References

  1. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview
  2. https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal
  3. https://learn.microsoft.com/en-us/cli/azure/network/private-endpoint?view=azure-cli-latest#az-network-private-endpoint-create

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn���t see or extract your keys. Monitor and audit your key use with Azure logging���pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threa

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago