Information disclosure due to public network access on Azure Key Vault

Critical Risk infrastructure-security
azurekey-vaultsecrets-managementpublic-accessnetwork-securityinformation-disclosureterraform

What it is

Azure Key Vault configured with public network access enabled exposes secrets, keys, and certificates to internet traffic, enabling potential brute-force attacks, unauthorized access attempts, and exposure of sensitive cryptographic material. This vulnerability allows attackers to target Key Vault endpoints directly from the internet.

# VULNERABLE: Key Vault with public access
resource "azurerm_key_vault" "vulnerable" {
  name                = "vulnerable-vault"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"
  
  # VULNERABLE: Public access enabled
  public_network_access_enabled = true
  
  # VULNERABLE: No network restrictions
  # Anyone on internet can attempt access
  
  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id
    
    secret_permissions = [
      "Get", "List", "Set", "Delete"
    ]
  }
}
# SECURE: Key Vault with private access only
resource "azurerm_key_vault" "secure" {
  name                = "secure-vault"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "premium"
  
  # SECURE: Disable public access
  public_network_access_enabled = false
  
  # SECURE: Enable security features
  enable_rbac_authorization = true
  purge_protection_enabled  = true
  soft_delete_retention_days = 90
  
  # SECURE: Strict network ACLs
  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
    
    # Only allow specific VNets
    virtual_network_subnet_ids = [
      azurerm_subnet.private.id
    ]
    
    # Allow only specific IPs
    ip_rules = [
      "203.0.113.10/32"
    ]
  }
}

# SECURE: Private endpoint for vault access
resource "azurerm_private_endpoint" "vault_pe" {
  name                = "vault-private-endpoint"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
  subnet_id           = azurerm_subnet.private_endpoints.id
  
  private_service_connection {
    name                           = "vault-psc"
    private_connection_resource_id = azurerm_key_vault.secure.id
    subresource_names              = ["Vault"]
    is_manual_connection           = false
  }
}

💡 Why This Fix Works

The vulnerable configuration enables public network access to Key Vault, allowing anyone on the internet to attempt connections to the vault endpoint. The secure version disables public access, implements strict network ACLs with default deny, allows access only from specific virtual networks and IP addresses, and uses a private endpoint to ensure all vault access flows through private network connections.

Why it happens

Azure Key Vault is created with public_network_access_enabled = true by default, exposing the vault endpoint to the internet. Without explicit configuration to disable public access, sensitive secrets and keys are accessible from any network.

Root causes

Default Public Network Access

Azure Key Vault is created with public_network_access_enabled = true by default, exposing the vault endpoint to the internet. Without explicit configuration to disable public access, sensitive secrets and keys are accessible from any network.

Missing Network Access Control Lists

Key Vault resources lack network_acls configuration blocks with IP restrictions and virtual network rules. Without ACLs, the vault accepts connections from all IP addresses, enabling brute-force and unauthorized access attempts.

No Private Endpoint Implementation

Organizations fail to configure Azure Private Endpoints for Key Vault access. Without private endpoints, all vault traffic flows through public internet rather than staying within private Azure networks.

Inadequate Network Segmentation

Key Vault access controls don't leverage network-level security measures. Vaults are left accessible from public networks rather than restricting access to specific virtual networks or subnets.

Default Allow Network Policies

Network ACL configurations use default_action = 'Allow' instead of 'Deny', permitting all traffic unless explicitly blocked. This insecure default allows unrestricted access to vault endpoints from the internet.

Fixes

1

Disable Public Network Access

Set public_network_access_enabled = false on all Azure Key Vault resources in Terraform. This completely disables public internet access to the vault, requiring all access to flow through private endpoints or approved networks.

2

Implement Private Endpoint Access

Configure Azure Private Endpoints (azurerm_private_endpoint) for Key Vault access. Private endpoints provide vault access through private IP addresses within your virtual network, keeping all traffic off the public internet.

3

Configure Network ACLs with Default Deny

Add network_acls configuration blocks with default_action = 'Deny' to implement zero-trust network security. Only explicitly allow access from specific virtual network subnets and IP addresses that require vault access.

4

Apply IP Allowlists and VNet Rules

Use network_acls to specify ip_rules for allowed IP ranges and virtual_network_subnet_ids for permitted subnets. Implement principle of least privilege by only allowing access from known, trusted network locations.

5

Enable RBAC Authorization

Set enable_rbac_authorization = true to use Azure Role-Based Access Control for Key Vault access management. RBAC provides more granular and manageable permissions compared to access policies, with better integration into Azure AD.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure due to public network access on azure key vault and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities