/
keyvault-specify-network-acl.yaml
54 lines (54 loc) · 1.35 KB
/
keyvault-specify-network-acl.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
rules:
- id: keyvault-specify-network-acl
message: >-
Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault.
The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services
can be allowed
to bypass.
patterns:
- pattern: resource
- pattern-not-inside: |
resource "azurerm_key_vault" "..." {
...
network_acls {
...
default_action = "Deny"
...
}
...
}
- pattern-either:
- pattern-inside: |
resource "azurerm_key_vault" "..." {
...
}
- pattern-inside: |
resource "azurerm_key_vault" "..." {
...
network_acls {
...
default_action = "Allow"
...
}
...
}
metadata:
cwe:
- 'CWE-284: Improper Access Control'
category: security
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls
- https://docs.microsoft.com/en-us/azure/key-vault/general/network-security
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
languages: [hcl]
severity: ERROR