last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Key Vault should use a virtual network service endpoint

Name Key Vault should use a virtual network service endpoint
Azure Portal
Id ea4d6841-2173-4317-9747-ff522a45120f
Version 1.0.0
details on versioning
Category Network
Microsoft docs
Description This policy audits any Key Vault not configured to use a virtual network service endpoint.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Audit
Allowed
Audit, Disabled
RBAC
Role(s)
none
Rule
Aliases
IF (2)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.KeyVault/vaults/networkAcls.defaultAction Microsoft.KeyVault vaults properties.networkAcls.defaultAction true
Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id Microsoft.KeyVault vaults properties.networkAcls.virtualNetworkRules[*].id true
Rule
ResourceTypes
IF (1)
Microsoft.KeyVault/vaults
Compliance The following 9 compliance controls are associated with this Policy definition 'Key Vault should use a virtual network service endpoint' (ea4d6841-2173-4317-9747-ff522a45120f)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 1.1 Azure_Security_Benchmark_v1.0_1.1 Azure Security Benchmark 1.1 Network Security Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Customer Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service. Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall. General Information on Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview How to create a Virtual Network: https://docs.microsoft.com/azure/virtual-network/quick-create-portal How to create an NSG with a security configuration: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal n/a link 21
hipaa 0805.01m1Organizational.12-01.m hipaa-0805.01m1Organizational.12-01.m 0805.01m1Organizational.12-01.m 08 Network Protection 0805.01m1Organizational.12-01.m 01.04 Network Access Control Shared n/a The organization's security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; (iii) block unauthorized access; (iv) are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet), including DMZs; and, (vi) enforce access control policies for each of the domains. 12
hipaa 0806.01m2Organizational.12356-01.m hipaa-0806.01m2Organizational.12356-01.m 0806.01m2Organizational.12356-01.m 08 Network Protection 0806.01m2Organizational.12356-01.m 01.04 Network Access Control Shared n/a The organization’s network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. 13
hipaa 0865.09m2Organizational.13-09.m hipaa-0865.09m2Organizational.13-09.m 0865.09m2Organizational.13-09.m 08 Network Protection 0865.09m2Organizational.13-09.m 09.06 Network Security Management Shared n/a The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny-all, permit-by-exception policy for allowing connections from the information system to other information systems outside of the organization; and, (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. 5
hipaa 0894.01m2Organizational.7-01.m hipaa-0894.01m2Organizational.7-01.m 0894.01m2Organizational.7-01.m 08 Network Protection 0894.01m2Organizational.7-01.m 01.04 Network Access Control Shared n/a Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers. 19
RMiT_v1.0 10.19 RMiT_v1.0_10.19 RMiT 10.19 Cryptography Cryptography - 10.19 Shared n/a A financial institution must ensure cryptographic controls are based on the effective implementation of suitable cryptographic protocols. The protocols shall include secret and public cryptographic key protocols, both of which shall reflect a high degree of protection to the applicable secret or private cryptographic keys. The selection of such protocols must be based on recognised international standards and tested accordingly. Commensurate with the level of risk, secret cryptographic key and private-cryptographic key storage and encryption/decryption computation must be undertaken in a protected environment, supported by a hardware security module (HSM) or trusted execution environment (TEE). link 6
SWIFT_CSCF_v2021 1.1 SWIFT_CSCF_v2021_1.1 SWIFT CSCF v2021 1.1 SWIFT Environment Protection SWIFT Environment Protection n/a Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. link 30
SWIFT_CSCF_v2022 1.1 SWIFT_CSCF_v2022_1.1 SWIFT CSCF v2022 1.1 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. Shared n/a A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. link 22
SWIFT_CSCF_v2022 1.5A SWIFT_CSCF_v2022_1.5A SWIFT CSCF v2022 1.5A 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. Shared n/a A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. link 26
History
Date/Time (UTC ymd) (i) Change type Change detail
2019-10-11 00:02:54 add ea4d6841-2173-4317-9747-ff522a45120f
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON