Control: Azure Key Vault should disable public network access
Description
Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.keyvault_vault_public_network_access_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.keyvault_vault_public_network_access_disabled --shareSQL
This control uses a named query:
select a.id as resource, case -- In case'defaultAction' = 'Allow', All Network including internet is allowed -- Default All network will have not network_acls associated when network_acls is null or network_acls ->> 'defaultAction' != 'Deny' then 'alarm' else 'ok' end as status, case when network_acls is null or network_acls ->> 'defaultAction' != 'Deny' then a.name || ' public network access enabled.' else a.name || ' public network access disabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_key_vault a left join azure_subscription as sub on sub.subscription_id = a.subscription_id;