github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/keyvault/specify_network_acl.go (about) 1 package keyvault 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckSpecifyNetworkAcl = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AZU-0013", 14 Provider: providers.AzureProvider, 15 Service: "keyvault", 16 ShortCode: "specify-network-acl", 17 Summary: "Key vault should have the network acl block specified", 18 Impact: "Without a network ACL the key vault is freely accessible", 19 Resolution: "Set a network ACL for the key vault", 20 Explanation: `Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. 21 22 The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.`, 23 Links: []string{ 24 "https://docs.microsoft.com/en-us/azure/key-vault/general/network-security", 25 }, 26 Terraform: &scan.EngineMetadata{ 27 GoodExamples: terraformSpecifyNetworkAclGoodExamples, 28 BadExamples: terraformSpecifyNetworkAclBadExamples, 29 Links: terraformSpecifyNetworkAclLinks, 30 RemediationMarkdown: terraformSpecifyNetworkAclRemediationMarkdown, 31 }, 32 Severity: severity.Critical, 33 }, 34 func(s *state.State) (results scan.Results) { 35 for _, vault := range s.Azure.KeyVault.Vaults { 36 if vault.Metadata.IsUnmanaged() { 37 continue 38 } 39 if vault.NetworkACLs.DefaultAction.NotEqualTo("Deny") { 40 results.Add( 41 "Vault network ACL does not block access by default.", 42 vault.NetworkACLs.DefaultAction, 43 ) 44 } else { 45 results.AddPassed(&vault) 46 } 47 } 48 return 49 }, 50 )