turbot/steampipe-mod-azure-compliance

Control: Azure Key Vault should have firewall enabled

Description

Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.keyvault_firewall_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.keyvault_firewall_enabled --share

SQL

This control uses a named query:

select
kv.id as resource,
case
when jsonb_array_length(network_acls -> 'ipRules') > 0 then 'ok'
else 'alarm'
end as status,
case
when jsonb_array_length(network_acls -> 'ipRules') > 0 then name || ' firewall enabled.'
else name || ' firewall disabled.'
end as reason
, kv.resource_group as resource_group
, sub.display_name as subscription
from
azure_key_vault kv,
azure_subscription sub
where
sub.subscription_id = kv.subscription_id;

Tags