Ensure that your Microsoft Azure Key Vaults are configured to deny access to traffic from all networks (including the public Internet). By restricting the public access to your Azure Key Vaults, you add an important layer of security, since the default action is to accept connections from clients on any network. To limit access to trusted networks and/or IP addresses, you must change the Key Vault firewall default action from "Allow" to "Deny" and configure the appropriate access.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
The access to your Azure Key Vaults should be granted to specific Azure Virtual Networks, which allow a secure network boundary for specific applications, or to public IP addresses/IP address ranges, which can enable connections from trusted Internet services and on-premises networks. Once the firewall rules are properly configured, only applications from allowed networks or IPs can access your Key Vault resources (encryption keys, secrets, certificates, etc).
Note: Making changes to network firewall rules can impact your applications' ability to connect to the Azure Key Vault. Make sure to grant access to any trusted service or network using network rules or IP addresses/ranges before you change the firewall default rule to deny access.
To determine if the default network access (i.e. all access) is restricted for your Azure Key Vaults, perform the following actions:
Remediation / Resolution
To restrict default network access (i.e. public access) to your Microsoft Azure Key Vaults, perform the following actions:
- Azure Official Documentation
- Configure Azure Key Vault firewalls and virtual networks
- Virtual network service endpoints for Azure Key Vault
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Restrict Default Network Access for Azure Key Vaults
Risk level: Medium