Ensure that your Microsoft Azure Key Vaults are configured to deny access to traffic from all networks (including the public Internet). By restricting the public access to your Azure Key Vaults, you add an important layer of security, since the default action is to accept connections from clients on any network. To limit access to trusted networks and/or IP addresses, you must change the Key Vault firewall default action from "Allow" to "Deny" and configure the appropriate access.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
The access to your Azure Key Vaults should be granted to specific Azure Virtual Networks, which allow a secure network boundary for specific applications, or to public IP addresses/IP address ranges, which can enable connections from trusted Internet services and on-premises networks. Once the firewall rules are properly configured, only applications from allowed networks or IPs can access your Key Vault resources (encryption keys, secrets, certificates, etc).
Note: Making changes to network firewall rules can impact your applications' ability to connect to the Azure Key Vault. Make sure to grant access to any trusted service or network using network rules or IP addresses/ranges before you change the firewall default rule to deny access.
Audit
To determine if the default network access (i.e. all access) is restricted for your Azure Key Vaults, perform the following actions:
Remediation / Resolution
To restrict default network access (i.e. public access) to your Microsoft Azure Key Vaults, perform the following actions:
References
- Azure Official Documentation
- Configure Azure Key Vault firewalls and virtual networks
- Virtual network service endpoints for Azure Key Vault
- Azure Command Line Interface (CLI) Documentation
- az keyvault list
- az keyvault show
- az keyvault update
- az keyvault network-rule add
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Restrict Default Network Access for Azure Key Vaults
Risk Level: Medium