Restrict Default Network Access for Azure Key Vaults

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: KeyVault-007

Ensure that your Microsoft Azure Key Vaults are configured to deny access to traffic from all networks (including the public Internet). By restricting the public access to your Azure Key Vaults, you add an important layer of security, since the default action is to accept connections from clients on any network. To limit access to trusted networks and/or IP addresses, you must change the Key Vault firewall default action from "Allow" to "Deny" and configure the appropriate access.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

The access to your Azure Key Vaults should be granted to specific Azure Virtual Networks, which allow a secure network boundary for specific applications, or to public IP addresses/IP address ranges, which can enable connections from trusted Internet services and on-premises networks. Once the firewall rules are properly configured, only applications from allowed networks or IPs can access your Key Vault resources (encryption keys, secrets, certificates, etc).

Note: Making changes to network firewall rules can impact your applications' ability to connect to the Azure Key Vault. Make sure to grant access to any trusted service or network using network rules or IP addresses/ranges before you change the firewall default rule to deny access.


Audit

To determine if the default network access (i.e. all access) is restricted for your Azure Key Vaults, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to examine.

06 In the navigation panel, under Settings, select Networking to access network security configuration page for the selected vault.

07 On the Firewalls and virtual networks tab, check the Allow access from network setting configuration. If Allow access from is set to All networks, all networks, including the Internet, can access the selected Azure Key Vault, therefore the vault network access configuration is not compliant.

08 Repeat steps no. 5 – 7 for each Azure Key Vault available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vault instances available in the current Azure subscription:

az keyvault list
	--query '[*].name'

02 The command output should return the requested Azure resource identifiers (names):

[
  "cc-project5-key-vault",
  "cc-internal-app-vault"
]

03 Run keyvault show command (Windows/macOS/Linux) using the name of the Key Vault instance that you want to examine as identifier parameter and custom query filters to obtain the default network access rule configuration for the selected vault:

az keyvault show
	--name "cc-project5-key-vault"
	--query 'properties.networkAcls.defaultAction'

04 The command output should return the action configured for the default network access rule:

"Allow"
or

If the keyvault show command output returns "Allow" or empty, as shown in the example above, all networks, including the Internet, can access the selected Microsoft Azure Key Vault, therefore the vault network access configuration is not compliant.

05 Repeat step no. 3 and 4 for each Key Vault instance available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To restrict default network access (i.e. public access) to your Microsoft Azure Key Vaults, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

05 Click on the name of the Azure Key Vault that you want to reconfigure.

06 In the navigation panel, under Settings, select Networking to access network security configuration page for the selected vault.

07 On the Firewalls and virtual networks tab, choose Private endpoint and selected networks under Allow access from to show the network security configuration panel for the selected Key Vault.

08 On the configuration panel, perform the following operations:

  1. To secure your Azure Key Vault access with virtual networks, use + Add existing virtual network or + Add new virtual network option available in the Virtual networks section to attach an existing virtual network or to create and attach a new one.
  2. To add IPv4 addresses or IPv4 address ranges in order to allow access from a trusted machine on the Internet or from your on-premises network(s), use the configuration controls available under IPv4 address or CIDR, in the Firewall section.
  3. To configure a network access exception such as a trusted Microsoft service, use the controls available in the Exception section.

09 Once the network security (including firewalls and virtual networks) for the selected Azure Key Vault is properly configured, click Save to apply the changes. Note that the firewall settings that allow access to the vault resources will remain in effect for up to a minute after saving the new access settings.

10 Repeat steps no. 5 – 9 for each Azure Key Vault available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault update command (Windows/macOS/Linux) using the name of the Key Vault instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to restrict the default network access (i.e. public access) to the selected Microsoft Azure Key Vault:

az keyvault update
	--name "cc-project5-key-vault"
	--default-action Deny

02 The command output should return the metadata available for the reconfigured Key Vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-project5-key-vault",
  "location": "westeurope",
  "name": "cc-project5-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore",
            "ManageContacts",
            "ManageIssuers",
            "GetIssuers",
            "ListIssuers",
            "SetIssuers",
            "DeleteIssuers"
          ],
          "keys": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "secrets": [
            "Get",
            "List",
            "Set",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "storage": null
        },
        "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": null,
    "enableRbacAuthorization": false,
    "enableSoftDelete": null,
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Deny",
      "ipRules": [],
      "virtualNetworkRules": []
    },
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-project5-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

03 Now that the default network rule is configured to deny all access to your Key Vault resources, you have to configure one of more firewall rules in order to grant access from your trusted IP(s) and/or network(s) only. As example, the following configuration grants access to a specific on-premises network, while blocking general Internet traffic. To allow access from your trusted network only, run keyvault network-rule add command (Windows/macOS/Linux) to add a new network firewall rule for a trusted IP address range (e.g. 16.17.18.0/24):

az keyvault network-rule add
	--name "cc-project5-key-vault"
	--ip-address 16.17.18.0/24

04 The command output should return the configuration metadata available for the selected Key Vault:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-project5-key-vault",
  "location": "westeurope",
  "name": "cc-project5-key-vault",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "permissions": {
          "certificates": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore",
            "ManageContacts",
            "ManageIssuers",
            "GetIssuers",
            "ListIssuers",
            "SetIssuers",
            "DeleteIssuers"
          ],
          "keys": [
            "Get",
            "List",
            "Update",
            "Create",
            "Import",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "secrets": [
            "Get",
            "List",
            "Set",
            "Delete",
            "Recover",
            "Backup",
            "Restore"
          ],
          "storage": null
        },
        "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": null,
    "enableRbacAuthorization": false,
    "enableSoftDelete": null,
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Deny",
      "ipRules": [
        {
          "value": "16.17.18.0/24"
        }
      ],
      "virtualNetworkRules": []
    },
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "vaultUri": "https://cc-project5-key-vault.vault.azure.net/"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

05 Repeat steps no. 1 – 4 for each Azure Key Vault available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 31, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Restrict Default Network Access for Azure Key Vaults

Risk level: Medium