terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl
semgrep
Author
unknown
Download Count*
License
Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.
Run Locally
Run in CI
Defintion
rules:
- id: keyvault-specify-network-acl
message: Network ACLs allow you to reduce your exposure to risk by limiting what
can access your key vault. The default action of the Network ACL should be
set to deny for when IPs are not matched. Azure services can be allowed to
bypass.
patterns:
- pattern: resource
- pattern-not-inside: |
resource "azurerm_key_vault" "..." {
...
network_acls {
...
default_action = "Deny"
...
}
...
}
- pattern-either:
- pattern-inside: |
resource "azurerm_key_vault" "..." {
...
}
- pattern-inside: |
resource "azurerm_key_vault" "..." {
...
network_acls {
...
default_action = "Allow"
...
}
...
}
metadata:
cwe:
- "CWE-284: Improper Access Control"
category: security
technology:
- terraform
- azure
references:
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls
- https://docs.microsoft.com/en-us/azure/key-vault/general/network-security
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: ERROR
Examples
keyvault-specify-network-acl.tf
resource "azurerm_key_vault" "good_example" {
name = "examplekeyvault"
location = azurerm_resource_group.good_example.location
enabled_for_disk_encryption = true
soft_delete_retention_days = 7
purge_protection_enabled = false
network_acls {
bypass = "AzureServices"
default_action = "Deny"
}
}
# ruleid: keyvault-specify-network-acl
resource "azurerm_key_vault" "bad_example" {
name = "examplekeyvault"
location = azurerm_resource_group.bad_example.location
enabled_for_disk_encryption = true
soft_delete_retention_days = 7
purge_protection_enabled = false
}
# ruleid: keyvault-specify-network-acl
resource "azurerm_key_vault" "bad_example" {
name = "examplekeyvault"
location = azurerm_resource_group.bad_example.location
enabled_for_disk_encryption = true
soft_delete_retention_days = 7
purge_protection_enabled = false
network_acls {
bypass = "AzureServices"
default_action = "Allow"
}
}
Short Link: https://sg.run/nKgX