terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: keyvault-specify-network-acl
    message: Network ACLs allow you to reduce your exposure to risk by limiting what
      can access your key vault. The default action of the Network ACL should be
      set to deny for when IPs are not matched. Azure services can be allowed to
      bypass.
    patterns:
      - pattern: resource
      - pattern-not-inside: |
          resource "azurerm_key_vault" "..." {
          ...
          network_acls {
              ...
              default_action = "Deny"
              ...
          }
          ...
          }
      - pattern-either:
          - pattern-inside: |
              resource "azurerm_key_vault" "..." {
              ...
              }
          - pattern-inside: |
              resource "azurerm_key_vault" "..." {
              ...
              network_acls {
                  ...
                  default_action = "Allow"
                  ...
              }
              ...
              }
    metadata:
      cwe:
        - "CWE-284: Improper Access Control"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls
        - https://docs.microsoft.com/en-us/azure/key-vault/general/network-security
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: ERROR

Examples

keyvault-specify-network-acl.tf

resource "azurerm_key_vault" "good_example" {
    name                        = "examplekeyvault"
    location                    = azurerm_resource_group.good_example.location
    enabled_for_disk_encryption = true
    soft_delete_retention_days  = 7
    purge_protection_enabled    = false

    network_acls {
        bypass = "AzureServices"
        default_action = "Deny"
    }
}

# ruleid: keyvault-specify-network-acl
resource "azurerm_key_vault" "bad_example" {
    name                        = "examplekeyvault"
    location                    = azurerm_resource_group.bad_example.location
    enabled_for_disk_encryption = true
    soft_delete_retention_days  = 7
    purge_protection_enabled    = false
}

# ruleid: keyvault-specify-network-acl
resource "azurerm_key_vault" "bad_example" {
    name                        = "examplekeyvault"
    location                    = azurerm_resource_group.bad_example.location
    enabled_for_disk_encryption = true
    soft_delete_retention_days  = 7
    purge_protection_enabled    = false

    network_acls {
        bypass = "AzureServices"
        default_action = "Allow"
    }
}