3.3.7 Ensure that Private Endpoints are Used for Azure Key Vault

Information

Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.

Rationale:

Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.

Impact:

Incorrect or poorly-timed changing of network configuration could result in service interruption. There are also additional costs tiers for running a private endpoint per petabyte or more of networking traffic.

Solution

Please see the additional information about the requirements needed before starting this remediation procedure.
Remediate from Azure Portal

From Azure Home open the Portal Menu in the top left.

Select Key Vaults.

Select a Key Vault to audit.

Select Networking in the left column.

Select Private endpoint connections from the top row.

Select + Create.

Select the subscription the Key Vault is within, and other desired configuration.

Select Next.

For resource type select Microsoft.KeyVault/vaults.

Select the Key Vault to associate the Private Endpoint with.

Select Next.

In the Virtual Networking field, select the network to assign the Endpoint.

Select other configuration options as desired, including an existing or new application security group.

Select Next.

Select the private DNS the Private Endpoints will use.

Select Next.

Optionally add Tags.

Select Next : Review + Create.

Review the information and select Create. Follow the Audit Procedure to determine if it has successfully applied.

Repeat steps 3-19 for each Key Vault.

Remediate from Azure CLI

To create an endpoint, run the following command:

az network private-endpoint create --resource-group <resourceGroup --vnet-name <vnetName> --subnet <subnetName> --name <PrivateEndpointName> --private-connection-resource-id '/subscriptions/<AZURE SUBSCRIPTION ID>/resourceGroups/<resourceGroup>/providers/Microsoft.KeyVault/vaults/<keyVaultName>' --group-ids vault --connection-name <privateLinkConnectionName> --location <azureRegion> --manual-request

To manually approve the endpoint request, run the following command:

az keyvault private-endpoint-connection approve --resource-group <resourceGroup> --vault-name <keyVaultName> -name <privateLinkName>

Determine the Private Endpoint's IP address to connect the Key Vault to the Private DNS you have previously created:

Look for the property networkInterfaces then id; the value must be placed in the variable <privateEndpointNIC> within step 7.

az network private-endpoint show -g <resourceGroupName> -n <privateEndpointName>

Look for the property networkInterfaces then id; the value must be placed on <privateEndpointNIC> in step 7.

az network nic show --ids <privateEndpointName>

Create a Private DNS record within the DNS Zone you created for the Private Endpoint:

az network private-dns record-set a add-record -g <resourcecGroupName> -z 'privatelink.vaultcore.azure.net' -n <keyVaultName> -a <privateEndpointNIC>

nslookup the private endpoint to determine if the DNS record is correct:

nslookup <keyVaultName>.vault.azure.net
nslookup <keyVaultName>.privatelink.vaultcore.azure.n

Default Value:

By default, Private Endpoints are not enabled for any services within Azure.

See Also

https://workbench.cisecurity.org/benchmarks/16820

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|14.1

Plugin: microsoft_azure

Control ID: 32128a40a3131224a509d24df6db7eb2a5a033fda87512272b60e545d45fb2b4