turbot/steampipe-mod-azure-compliance

Control: Azure Key Vaults should use private link

Description

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.keyvault_vault_private_link_used

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.keyvault_vault_private_link_used --share

SQL

This control uses a named query:

select
a.id as resource,
case
-- Having private_endpoint_connections will not permit vault to use the same.
-- In case'defaultAction' = 'Allow', All Network including internet is allowed, which will not satisfy the private endpoint connection.
-- Default All network will have not network_acls associated.
when network_acls is null
or network_acls ->> 'defaultAction' = 'Allow' then 'alarm'
when private_endpoint_connections is null then 'info'
when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' then 'ok'
else 'alarm'
end as status,
case
when network_acls is null
or network_acls ->> 'defaultAction' = 'Allow' then a.name || ' using public networks.'
when private_endpoint_connections is null then a.name || ' no private link exists.'
when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' then a.name || ' using private link.'
else a.name || ' private link not enabled.'
end as reason,
a.resource_group as resource_group,
sub.display_name as subscription
from
azure_key_vault a,
azure_subscription sub;

Tags