🚀Launch Week 09, June 30th - July 4th, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
15Dashboards
1464Benchmarks
449Queries
2Variables
GitHub

Control: 9.3.7 Ensure that Public Network Access when using Private Endpoint is disabled

Description

When Private endpoint is configured on a Key Vault, connections from Azure resources within the same subnet will use its private IP address. However, network traffic from the public internet can still flow connect to the Key Vault’s public endpoint (mykeyvault.vault.azure.net) using its public IP address unless Public network access is set to “Disabled”.

Setting the Public network access to “Disabled” with a Private Endpoint will remove the Vault’s public endpoint from Azure public DNS, reducing its exposure to the public internet. Network traffic will use the Vault private endpoint IP address for all requests (mykeyvault.vault.privatelink.azure.net).

Removing a point of interconnection from the internet edge to your Key Vault can strengthen the network security boundary of your system and reduce the risk of exposing the control plane or vault objects to untrusted clients.

Although Azure resources are never truly isolated from the public internet, disabling the public endpoint removes a line of sight from the public internet and increases the effort required for an attack.

Remediation

From Azure Portal

Key Vaults can be configured to use Azure role-based access control on creation.

For existing Key Vaults:

  1. From Azure Home open the Portal Menu in the top left corner.
  2. Select Key Vaults.
  3. Select a Key Vault to audit.
  4. Select Networking.
  5. NEXT.

From Azure CLI

To disable Public network access for each Key Vault, run the following Azure CLI command:

az keyvault update --resource-group <resource_group> --name <vault_name> --public-network-access Disabled

From PowerShell

To enable RBAC authorization on each Key Vault, run the following PowerShell command:

Update-AzKeyVault -ResourceGroupName <resource_group> -VaultName <vault_name> -PublicNetworkAccess "Disabled"

Default Value

The default value for Access control in Key Vaults is Vault Policy.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v400_9_3_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v400_9_3_7 --share

SQL

This control uses a named query:

select
  v.id as resource,
  case
    when jsonb_array_length(v.private_endpoint_connections) > 0 
      and v.network_acls ->> 'defaultAction' = 'Deny' then 'ok'
    when jsonb_array_length(v.private_endpoint_connections) = 0 then 'skip'
    else 'alarm'
  end as status,
  case
    when jsonb_array_length(v.private_endpoint_connections) > 0 
      and v.network_acls ->> 'defaultAction' = 'Deny' 
      then v.name || ' public network access is disabled with private endpoint.'
    when jsonb_array_length(v.private_endpoint_connections) = 0 
      then v.name || ' has no private endpoints configured.'
    else v.name || ' public network access is enabled with private endpoint.'
  end as reason,
  v.subscription_id,
  v.resource_group,
  v.region
from
  azure_key_vault v;

Tags

category = Compliance
cis = true
cis_item_id = 9.3.7
cis_level = 2
cis_section_id = 9.3
cis_type = automated
cis_version = v4.0.0
plugin = azure
service = Azure/KeyVault