Ensure key vault allows firewall rules settings

Error: Key vault does not allow firewall rules settings

Bridgecrew Policy ID: BC_AZR_NETWORKING_33
Checkov Check ID: CKV_AZURE_109
Severity: MEDIUM

Key vault does not allow firewall rules settings

Description

Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault. By defining "bypass=AzureServices" and "default_action= "deny" - only matched ip_rules and/or virtual_network_subnet_ids will be passed

Fix - Buildtime

Terraform

  • Resource: azurerm_key_vault
  • Argument: network_acls.default_action
resource "azurerm_key_vault" "example" {
                  ...
 +                network_acls {
 +                  default_action = "Deny"
 +                  bypass = "AzureServices" 
                  }
                }

Did this page help you?