Key Vault is not protected by firewall Affecting Key Vault service in Azure


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Network/ Firewall

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
  • Snyk IDSNYK-CC-00708
  • creditSnyk Research Team

Description

By default the Azure Key Vault firewall is disabled. All applications and Azure services can access the key vault and send requests to the key vault. It is recommended to enable the Azure Key Vault firewall and whitelist access explicitly.

How to fix?

Set the default_action attribute in network_acls block to Deny.

Example Configuration

resource "azurerm_key_vault" "allowed1" {
     name                        = "allowed1"
     resource_group_name         = azurerm_resource_group.example.name
     location                    = azurerm_resource_group.example.location
     tenant_id                   = data.azurerm_client_config.current.tenant_id
     sku_name = "standard"

     network_acls {
        bypass = "AzureServices"
        default_action = "Deny"
     }
}