Control: Key Vault should use a virtual network service endpoint
Description
This policy audits any Key Vault not configured to use a virtual network service endpoint.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.keyvault_vault_use_virtual_service_endpointSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.keyvault_vault_use_virtual_service_endpoint --shareSQL
This control uses a named query:
with keyvault_vault_subnet as ( select distinct a.name, rule ->> 'id' as id from azure_key_vault as a, jsonb_array_elements(network_acls -> 'virtualNetworkRules') as rule where rule ->> 'id' is not null)select distinct a.name as resource, case when network_acls ->> 'defaultAction' <> 'Deny' then 'alarm' when s.name is null then 'alarm' else 'ok' end as status, case when network_acls ->> 'defaultAction' <> 'Deny' then a.name || ' not configured with virtual service endpoint.' when s.name is null then a.name || ' not configured with virtual service endpoint.' else a.name || ' configured with virtual service endpoint.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_key_vault as a left join keyvault_vault_subnet as s on a.name = s.name, azure_subscription as subwhere sub.subscription_id = a.subscription_id;