Key Vault is not protected by firewall Affecting Key Vault service in Azure

Snyk CCSS

Network / Firewall

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00708
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

By default the Azure Key Vault firewall is disabled. All applications and Azure services can access the key vault and send requests to the key vault. It is recommended to enable the Azure Key Vault firewall and whitelist access explicitly.

How to fix?

Set the default_action attribute in network_acls block to Deny.

Example Configuration

resource "azurerm_key_vault" "allowed1" {
     name                        = "allowed1"
     resource_group_name         = azurerm_resource_group.example.name
     location                    = azurerm_resource_group.example.location
     tenant_id                   = data.azurerm_client_config.current.tenant_id
     sku_name = "standard"

     network_acls {
        bypass = "AzureServices"
        default_action = "Deny"
     }
}

Terraform

azurerm_key_vault

Key Vault is not protected by firewall Affecting Key Vault service in Azure

Severity

Description

How to fix?

Example Configuration

Terraform