Control: Azure Key Vault should have firewall enabled
Description
Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.keyvault_firewall_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.keyvault_firewall_enabled --share
SQL
This control uses a named query:
select kv.id as resource, case when jsonb_array_length(network_acls -> 'ipRules') > 0 then 'ok' else 'alarm' end as status, case when jsonb_array_length(network_acls -> 'ipRules') > 0 then name || ' firewall enabled.' else name || ' firewall disabled.' end as reason , kv.resource_group as resource_group , sub.display_name as subscriptionfrom azure_key_vault kv, azure_subscription subwhere sub.subscription_id = kv.subscription_id;