From eba5ba55b58826f1c77bd4f974acf121f24e4ad7 Mon Sep 17 00:00:00 2001 From: Andrew Kisliakov Date: Thu, 29 Jun 2023 17:02:19 +0100 Subject: [PATCH 1/3] Key Vault Private Endpoint check --- ...ices.keyvault.subscriptions.id.vaults.html | 1 + .../azure/resources/keyvault/vaults.py | 7 +++++ .../keyvault-private-endpoints-not-used.json | 27 +++++++++++++++++++ .../azure/rules/rulesets/cis-1.2.0.json | 6 +++++ .../azure/rules/rulesets/default.json | 6 +++++ 5 files changed, 47 insertions(+) create mode 100644 ScoutSuite/providers/azure/rules/findings/keyvault-private-endpoints-not-used.json diff --git a/ScoutSuite/output/data/html/partials/azure/services.keyvault.subscriptions.id.vaults.html b/ScoutSuite/output/data/html/partials/azure/services.keyvault.subscriptions.id.vaults.html index f2134819e..a4d84cc51 100755 --- a/ScoutSuite/output/data/html/partials/azure/services.keyvault.subscriptions.id.vaults.html +++ b/ScoutSuite/output/data/html/partials/azure/services.keyvault.subscriptions.id.vaults.html @@ -8,6 +8,7 @@

Information

ID: {{ id }}
Location: {{value_or_none location}}
Public Access: {{ convert_bool_to_enabled public_access_allowed }}
+
Approved Private Endpoints: {{ private_endpoint_connections.length }}
Vault Recoverable: {{ recovery_protection_enabled }}
Tags: {{#each tags}} diff --git a/ScoutSuite/providers/azure/resources/keyvault/vaults.py b/ScoutSuite/providers/azure/resources/keyvault/vaults.py index a6b292f1a..c89a2f09e 100755 --- a/ScoutSuite/providers/azure/resources/keyvault/vaults.py +++ b/ScoutSuite/providers/azure/resources/keyvault/vaults.py @@ -33,7 +33,14 @@ def _parse_key_vault(self, raw_vault): 'recovery_protection_enabled'] = raw_vault.properties.enable_soft_delete and \ raw_vault.properties.enable_purge_protection vault['public_access_allowed'] = self._is_public_access_allowed(raw_vault) + vault['private_endpoint_connections'] = self._get_private_endpoint_connections(raw_vault) return vault['id'], vault def _is_public_access_allowed(self, raw_vault): return raw_vault.properties.network_acls is None + + def _get_private_endpoint_connections(self, raw_vault): + private_endpoint_connections = getattr(raw_vault.properties, "private_endpoint_connections", None) + if not private_endpoint_connections: + return [] + return [pe.private_endpoint.id for pe in private_endpoint_connections if pe.private_link_service_connection_state.status == 'Approved'] diff --git a/ScoutSuite/providers/azure/rules/findings/keyvault-private-endpoints-not-used.json b/ScoutSuite/providers/azure/rules/findings/keyvault-private-endpoints-not-used.json new file mode 100644 index 000000000..97420735f --- /dev/null +++ b/ScoutSuite/providers/azure/rules/findings/keyvault-private-endpoints-not-used.json @@ -0,0 +1,27 @@ +{ + "description": "Key Vaults Not Using Private Endpoint Connections", + "rationale": "Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.", + "remediation": "In the Azure console:
  1. Go to Key Vaults
  2. For each key vault, click on the settings menu called Networking.
  3. Go to the tab named Private Endpoint Connections.
  4. Ensure that a private endpoint entry exists corresponding each Virtual Network that contains resources requiring access to the Key Vault resource.
  5. Click Save to apply your changes.
", + "compliance": [ + { + "name": "CIS Microsoft Azure Foundations", + "version": "1.2.0", + "reference": "8.7" + } + ], + "references": [ + "https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service", + "https://learn.microsoft.com/en-gb/security/benchmark/azure/baselines/key-vault-security-baseline?context=%2Fazure%2Fkey-vault%2Fgeneral%2Fcontext%2Fcontext#ns-2-secure-cloud-services-with-network-controls" + ], + "dashboard_name": "Keys", + "path": "keyvault.subscriptions.id.vaults.id", + "conditions": [ + "and", + [ + "keyvault.subscriptions.id.vaults.id.private_endpoint_connections", + "empty", + "" + ] + ], + "id_suffix": "private_endpoint_connections" +} \ No newline at end of file diff --git a/ScoutSuite/providers/azure/rules/rulesets/cis-1.2.0.json b/ScoutSuite/providers/azure/rules/rulesets/cis-1.2.0.json index 9c6815ddc..9ddf63583 100644 --- a/ScoutSuite/providers/azure/rules/rulesets/cis-1.2.0.json +++ b/ScoutSuite/providers/azure/rules/rulesets/cis-1.2.0.json @@ -117,6 +117,12 @@ "level": "warning" } ], + "keyvault-private-endpoints-not-used.json": [ + { + "enabled": true, + "level": "warning" + } + ], "logging-monitoring-log-alert-not-exist-create-policy-assignment.json": [ { "enabled": true, diff --git a/ScoutSuite/providers/azure/rules/rulesets/default.json b/ScoutSuite/providers/azure/rules/rulesets/default.json index 286085c0f..e242312ed 100755 --- a/ScoutSuite/providers/azure/rules/rulesets/default.json +++ b/ScoutSuite/providers/azure/rules/rulesets/default.json @@ -91,6 +91,12 @@ "level": "warning" } ], + "keyvault-private-endpoints-not-used.json": [ + { + "enabled": true, + "level": "warning" + } + ], "logging-monitoring-diagnostic-setting-does-not-exist.json": [ { "enabled": false, From ff57170e24ca9c584378c22ff77a5b66ca5e46f4 Mon Sep 17 00:00:00 2001 From: Andrew Kisliakov Date: Mon, 3 Jul 2023 12:08:12 +0100 Subject: [PATCH 2/3] Fix rule definition --- .../rules/findings/keyvault-private-endpoints-not-used.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ScoutSuite/providers/azure/rules/findings/keyvault-private-endpoints-not-used.json b/ScoutSuite/providers/azure/rules/findings/keyvault-private-endpoints-not-used.json index 97420735f..792340f35 100644 --- a/ScoutSuite/providers/azure/rules/findings/keyvault-private-endpoints-not-used.json +++ b/ScoutSuite/providers/azure/rules/findings/keyvault-private-endpoints-not-used.json @@ -5,7 +5,7 @@ "compliance": [ { "name": "CIS Microsoft Azure Foundations", - "version": "1.2.0", + "version": "2.0.0", "reference": "8.7" } ], @@ -13,7 +13,7 @@ "https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service", "https://learn.microsoft.com/en-gb/security/benchmark/azure/baselines/key-vault-security-baseline?context=%2Fazure%2Fkey-vault%2Fgeneral%2Fcontext%2Fcontext#ns-2-secure-cloud-services-with-network-controls" ], - "dashboard_name": "Keys", + "dashboard_name": "Key Vaults", "path": "keyvault.subscriptions.id.vaults.id", "conditions": [ "and", From 1c15d194684b52ddd45b79222efc58292314c322 Mon Sep 17 00:00:00 2001 From: Andrew Kisliakov Date: Mon, 3 Jul 2023 12:09:24 +0100 Subject: [PATCH 3/3] Removed rule not in CIS benchmark 1.2.0 --- ScoutSuite/providers/azure/rules/rulesets/cis-1.2.0.json | 6 ------ 1 file changed, 6 deletions(-) diff --git a/ScoutSuite/providers/azure/rules/rulesets/cis-1.2.0.json b/ScoutSuite/providers/azure/rules/rulesets/cis-1.2.0.json index 9ddf63583..9c6815ddc 100644 --- a/ScoutSuite/providers/azure/rules/rulesets/cis-1.2.0.json +++ b/ScoutSuite/providers/azure/rules/rulesets/cis-1.2.0.json @@ -117,12 +117,6 @@ "level": "warning" } ], - "keyvault-private-endpoints-not-used.json": [ - { - "enabled": true, - "level": "warning" - } - ], "logging-monitoring-log-alert-not-exist-create-policy-assignment.json": [ { "enabled": true,