turbot/steampipe-mod-azure-compliance

Control: Azure Key Vault should disable public network access

Description

Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.keyvault_vault_public_network_access_disabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.keyvault_vault_public_network_access_disabled --share

SQL

This control uses a named query:

select
a.id as resource,
case
-- In case'defaultAction' = 'Allow', All Network including internet is allowed
-- Default All network will have not network_acls associated
when network_acls is null or network_acls ->> 'defaultAction' != 'Deny' then 'alarm'
else 'ok'
end as status,
case
when network_acls is null or network_acls ->> 'defaultAction' != 'Deny' then a.name || ' public network access enabled.'
else a.name || ' public network access disabled.'
end as reason
, a.resource_group as resource_group
, sub.display_name as subscription
from
azure_key_vault a,
azure_subscription sub;

Tags