Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Azure > Keyvault >

Specify Network Acl

CRITICAL
Source
Trivy
ID
AVD-AZU-0013
terraform

Key vault should have the network acl block specified

Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault.

The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.

Impact

Without a network ACL the key vault is freely accessible

Follow the appropriate remediation steps below to resolve the issue.

Set a network ACL for the key vault

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

 resource "azurerm_key_vault" "good_example" {
     name                        = "examplekeyvault"
     location                    = azurerm_resource_group.good_example.location
     enabled_for_disk_encryption = true
     soft_delete_retention_days  = 7
     purge_protection_enabled    = false
 
     network_acls {
         bypass = "AzureServices"
         default_action = "Deny"
     }
 }
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use