Skip to main content

lacework-global-640

8.7 Ensure that Private Endpoints are Used for Azure Key Vault (Automated)

note

This rule has been changed to automated, see Automated Rules for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 2

Description

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

Rationale

Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.

Impact

Incorrect or poorly-timed changing of network configuration could result in service interruption. There are also additional costs tiers for running a private endpoint per petabyte or more of networking traffic.

Audit

From Azure Portal

  1. From Azure Home open the Portal Menu in the top left.
  2. Select Key Vaults.
  3. Select each Key Vault to be audited.
  4. Select Networking in the left column.
  5. Then select Private Endpoints in the row menu.
  6. View if there is an endpoint attached.

From Azure CLI

Run the following command within a subscription for each Key Vault you wish to audit.

az keyvault private-endpoint-connection show -g <resourceGroup> --vault-name <keyVaultName>

From Azure Powershell

Run the following command within a subscription for each Key Vault you wish to audit.

Get-AzPrivateEndpointConnection -PrivateLinkResourceId '/subscriptions/<subscriptionNumber>/resourceGroups/<resourceGroup>/providers/Microsoft.KeyVault/vaults/<keyVaultName>/'

Remediation

Please see the additional information about the requirements needed before starting this remediation procedure.

From Azure Portal

  1. From Azure Home open the Portal Menu in the top left.
  2. Select Key Vaults.
  3. Select each Key Vault to be audited.
  4. Select Networking in the left column.
  5. Then select Private Endpoints in the row menu.
  6. Select + Create
  7. Select the subscription your Key Vault is within, and other desired configuration.
  8. Select Next
  9. For resource type select Microsoft.KeyVault/vaults.
  10. Select the Key Vault you wish to associate the Private Endpoint to.
  11. In the Virtual Networking field, select the network you wish to assign the Endpoint. Or if creating a new network name it here.
  12. Select other configuration options as desired, including an existing or new application security group.
  13. Select the private DNS the Private Endpoints will use.
  14. Review this information and select Create. Follow the Audit Procedure to determine if it has successfully applied.

From Azure CLI

  1. To create an endpoint, run the following command:
az network private-endpoint create --resource-group <resourceGroup --vnet-name <vnetName> --subnet <subnetName> --name <PrivateEndpointName> --private-connection-resource-id "/subscriptions/<AZURE SUBSCRIPTION ID>/resourceGroups/<resourceGroup>/providers/Microsoft.KeyVault/vaults/<keyVaultName>" --group-ids vault --connection-name <privateLinkConnectionName> --location <azureRegion> --manual-request
  1. To manually approve the endpoint request, run the following command:
az keyvault private-endpoint-connection approve --resource-group <resourceGroup> --vault-name <keyVaultName> –name <privateLinkName>
  1. Determine the Private Endpoint's IP address to connect the Key Vault to the Private DNS you have previously created:

  2. Look for the property networkInterfaces then id; the value must be placed in the variable <privateEndpointNIC> within step 7.

az network private-endpoint show -g <resourceGroupName> -n <privateEndpointName> 
  1. Look for the property networkInterfaces then id; the value must be placed on <privateEndpointNIC> in step 7.
az network nic show --ids <privateEndpointName> 
  1. Create a Private DNS record within the DNS Zone you created for the Private Endpoint:
az network private-dns record-set a add-record -g <resourcecGroupName> -z "privatelink.vaultcore.azure.net" -n <keyVaultName> -a <privateEndpointNIC>
  1. nslookup the private endpoint to determine if the DNS record is correct:
nslookup <keyVaultName>.vault.azure.net
nslookup <keyVaultName>.privatelink.vaultcore.azure.n

References

https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview
https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
https://azure.microsoft.com/en-us/pricing/details/private-link/
https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal
https://docs.microsoft.com/en-us/azure/virtual-network/quick-create-portal
https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal
https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
https://docs.microsoft.com/azure/dns/private-dns-getstarted-cli#create-an-additional-dns-record
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository

Additional Information

This recommendation assumes that you have created a Resource Group containing a Virtual Network that the services are already associated with and configured private DNS. A Bastion on the virtual network is also required, and the service to which you are connecting must already have a Private Endpoint. For information concerning the installation of these services, please see the attached documentation.

Microsoft's own documentation lists the requirements as: A Key Vault. An Azure virtual network. A subnet in the virtual network. Owner or contributor permissions for both the Key Vault and the virtual network.