Skip to content

Files

Latest commit

 

History

History
42 lines (31 loc) · 1.14 KB

AZU020.md

File metadata and controls

42 lines (31 loc) · 1.14 KB

Pattern: Key vault should have the network acl block specified

Issue: -

Description

Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault.

The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.

Resolution: Set a network ACL for the key vault.

Examples

Example of incorrect code:

resource "azurerm_key_vault" "bad_example" {
    name                        = "examplekeyvault"
    location                    = azurerm_resource_group.bad_example.location
    enabled_for_disk_encryption = true
    soft_delete_retention_days  = 7
    purge_protection_enabled    = false
}

Example of correct code:

resource "azurerm_key_vault" "good_example" {
    name                        = "examplekeyvault"
    location                    = azurerm_resource_group.good_example.location
    enabled_for_disk_encryption = true
    soft_delete_retention_days  = 7
    purge_protection_enabled    = false

    network_acls {
        bypass = "AzureServices"
        default_action = "Deny"
    }
}