Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 8.3.8 Ensure Private Endpoints are used to access Azure Key Vault

Description

Use private endpoints to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

Remediation

Please see the additional information about the requirements needed before starting this remediation procedure.

Remediate from Azure Portal

  1. From Azure Home open the Portal Menu in the top left.
  2. Select Key Vaults.
  3. Select a Key Vault to audit.
  4. Select Networking in the left column.
  5. Select Private endpoint connections from the top row.
  6. Select + Create.
  7. Select the subscription the Key Vault is within, and other desired configuration.
  8. Select Next.
  9. For resource type select Microsoft.KeyVault/vaults.
  10. Select the Key Vault to associate the Private Endpoint with.
  11. Select Next.
  12. In the Virtual Networking field, select the network to assign the Endpoint.
  13. Select other configuration options as desired, including an existing or new application security group.
  14. Select Next.
  15. Select the private DNS the Private Endpoints will use.
  16. Select Next.
  17. Optionally add Tags.
  18. Select Next : Review + Create.
  19. Review the information and select Create. Follow the Audit Procedure to determine if it has successfully applied.
  20. Repeat steps 3-19 for each Key Vault.

Remediate from Azure CLI

  1. To create an endpoint, run the following command:
az network private-endpoint create --resource-group <resourceGroup --vnetname <vnetName> --subnet <subnetName> --name <PrivateEndpointName> --
private-connection-resource-id "/subscriptions/<AZURE SUBSCRIPTION
ID>/resourceGroups/<resourceGroup>/providers/Microsoft.KeyVault/vaults/<keyVa
ultName>" --group-ids vault --connection-name <privateLinkConnectionName> --
location <azureRegion> --manual-request
  1. To manually approve the endpoint request, run the following command:
az keyvault private-endpoint-connection approve --resource-group <resourceGroup> --vault-name <keyVaultName> –name <privateLinkName>

  1. Determine the Private Endpoint's IP address to connect the Key Vault to the Private DNS you have previously created:

  2. Look for the property networkInterfaces then id; the value must be placed in the variable <privateEndpointNIC> within step 7.

az network private-endpoint show -g <resourceGroupName> -n <privateEndpointName>
  1. Look for the property networkInterfaces then id; the value must be placed on <privateEndpointNIC> in step 7.
az network nic show --ids <privateEndpointName>
  1. Create a Private DNS record within the DNS Zone you created for the Private Endpoint:
az network private-dns record-set a add-record -g <resourcecGroupName> -z "privatelink.vaultcore.azure.net" -n <keyVaultName> -a <privateEndpointNIC>
  1. nslookup the private endpoint to determine if the DNS record is correct:
nslookup <keyVaultName>.vault.azure.net
nslookup <keyVaultName>.privatelink.vaultcore.azure.net

Default Value

By default, Private Endpoints are not created for services.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_8_3_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_8_3_8 --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
  -- Having private_endpoint_connections will not permit vault to use the same.
  -- In case'defaultAction' = 'Allow', All Network including internet is allowed, which will not satisfy the private endpoint connection.
  -- Default All network will have not network_acls associated.
    when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then 'alarm'
    when private_endpoint_connections is null then 'info'
    when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' then 'ok'
    else 'alarm'
  end as status,
  case
    when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then a.name || ' using public networks.'
    when private_endpoint_connections is null then a.name || ' no private link exists.'
    when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]'
    then a.name || ' using private link.'
    else a.name || ' private link not enabled.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_key_vault a
  left join azure_subscription as sub on sub.subscription_id = a.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 8.3.8
cis_level = 2
cis_section_id = 8.3
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure/KeyVault