Terraform Bypass None Unrestricted Access
Description
Detects Azure Key Vault configurations that could allow unrestricted access by bypassing access policies. This security issue occurs when a Key Vault is configured to allow operations without requiring proper access policies, potentially exposing sensitive secrets and keys to unauthorized users.
Detection Strategy
• Scans Terraform configuration files for 'azurerm_key_vault' resource blocks
• Checks if the Key Vault is configured to bypass access policy restrictions
• Examines the presence and values of access control settings that could allow unrestricted operations
• Reports a vulnerability if dangerous bypass settings are detected that could enable unauthorized access
Vulnerable code example
resource "azurerm_key_vault" "vulnerable" {
name = "vault123"
location = "westus2"
resource_group_name = "example-rg"
sku_name = "standard"
tenant_id = "11111111-1111-1111-1111-111111111111"
network_acls {...✅ Secure code example
resource "azurerm_key_vault" "secure" {
name = "vault123"
location = "westus2"
resource_group_name = "example-rg"
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id # Use dynamic tenant ID instead of hardcoding
soft_delete_retention_days = 7
purge_protection_enabled = true # Prevents permanent deletion of secrets...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.