Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 8.3.7 Ensure Public Network Access is Disabled

Description

Disable public network access to prevent exposure to the internet and reduce the risk of unauthorized access. Use private endpoints to securely manage access within trusted networks.

When a private endpoint is configured on a key vault, connections from Azure resources within the same subnet will use its private IP address. However, network traffic from the public internet can still connect to the key vault's public endpoint (mykeyvault.vault.azure.net) using its public IP address unless public network access is disabled.

Disabling public network access removes the vault's public endpoint from Azure public DNS, reducing its exposure to the public internet. With a private endpoint configured, network traffic will use the vault's private endpoint IP address for all requests (mykeyvault.vault.privatelink.azure.net).

Remediation

Remediate from Azure Portal

  1. Go to Key vaults.
  2. Click the name of a key vault.
  3. Under Settings, click Networking.
  4. Under Firewalls and virtual networks, next to Allow access from:, click the radio button next to Disable public access.
  5. Click Apply.
  6. Repeat steps 1-5 for each key vault requiring remediation.

Remediate from Azure CLI

For each key vault requiring remediation, run the following command to disable public network access:

az keyvault update --resource-group <resource-group> --name <key-vault> --public-network-access Disabled

Remediate from PowerShell

For each key vault requiring remediation, run the following command to disable public network access:

Update-AzKeyVault -ResourceGroupName <resource-group> -VaultName <vault-name> -PublicNetworkAccess "Disabled"

Default Value

Public network access is enabled by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_8_3_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_8_3_7 --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
  -- In case'defaultAction' = 'Allow', All Network including internet is allowed
  -- Default All network will have not network_acls associated
    when network_acls is null or network_acls ->> 'defaultAction' != 'Deny' then 'alarm'
    else 'ok'
  end as status,
  case
    when network_acls is null or network_acls ->> 'defaultAction' != 'Deny' then a.name || ' public network access enabled.'
    else a.name || ' public network access disabled.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_key_vault a
  left join azure_subscription as sub on sub.subscription_id = a.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 8.3.7
cis_level = 1
cis_section_id = 8.3
cis_type = automated
cis_version = v5.0.0
plugin = azure
service = Azure/KeyVault