Key vault has no network ACL specified
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| CRITICAL | MEDIUM | Azure | NETWORK |
Description
Network ACL (Access Control List) limits access to key vault authentication, thus reducing risk exposure. When a new key vault is created, the Azure Key Vault firewall is disabled by default, allowing authentication from untrusted users.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | True | False | False |
If there is no Azure Key Vault firewall set up, all services can send requests to the vault, risking Distributed Denial of Service (DDoS). Plus, even though authentication is required to access the vault, credentials might be bruteforced, leading to data exposure.
Remediation guidelines
A network ACL should be created to limit access to key vault to particular services only.
References
Was this page helpful?
