logo

Database

Terraform Default Action Allow Key Vault

Description

Detects when an Azure Key Vault is configured with overly permissive default network access rules. This configuration could allow unauthorized network access to sensitive key vault data if specific IP restrictions or network rules are not properly configured.

Weakness:

157 - Unrestricted access between network segments

Category: Access Subversion

Detection Strategy

    Look for Azure Key Vault resource definitions in Terraform configurations

    Check if the Key Vault's network access rules allow unrestricted access by default

    Report a security issue if default network access is set to 'Allow' without proper IP restrictions

Vulnerable code example

resource "azurerm_key_vault" "vulnerable" {
  name                = "keyvault"
  resource_group_name = "example-group"
  location           = "eastus"
  tenant_id          = "11111111-1111-1111-1111-111111111111"
  
  network_acls {
    default_action = "Allow"  # Vulnerable: allows access from all IP addresses...

✅ Secure code example

resource "azurerm_key_vault" "secure" {
  name                        = "keyvault"
  resource_group_name         = "example-group"
  location                    = "eastus"
  tenant_id                   = data.azurerm_client_config.current.tenant_id  # Use dynamic reference instead of hardcoded ID
  
  soft_delete_retention_days  = 7
  purge_protection_enabled    = true  # Prevents malicious deletion of secrets...