keyvault

package
v1.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 25, 2023 License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var CheckContentTypeForSecret = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0015",
		Provider:   providers.AzureProvider,
		Service:    "keyvault",
		ShortCode:  "content-type-for-secret",
		Summary:    "Key vault Secret should have a content type set",
		Impact:     "The secret's type is unclear without a content type",
		Resolution: "Provide content type for secrets to aid interpretation on retrieval",
		Explanation: `Content Type is an optional Key Vault Secret behavior and is not enabled by default.

Clients may specify the content type of a secret to assist in interpreting the secret data when it's retrieved. The maximum length of this field is 255 characters. There are no pre-defined values. The suggested usage is as a hint for interpreting the secret data.`,
		Links: []string{
			"https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformContentTypeForSecretGoodExamples,
			BadExamples:         terraformContentTypeForSecretBadExamples,
			Links:               terraformContentTypeForSecretLinks,
			RemediationMarkdown: terraformContentTypeForSecretRemediationMarkdown,
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, vault := range s.Azure.KeyVault.Vaults {
			for _, secret := range vault.Secrets {
				if secret.ContentType.IsEmpty() {
					results.Add(
						"Secret does not have a content-type specified.",
						secret.ContentType,
					)
				} else {
					results.AddPassed(&secret)
				}
			}
		}
		return
	},
)
View Source
var CheckEnsureKeyExpiry = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0014",
		Provider:   providers.AzureProvider,
		Service:    "keyvault",
		ShortCode:  "ensure-key-expiry",
		Summary:    "Ensure that the expiration date is set on all keys",
		Impact:     "Long life keys increase the attack surface when compromised",
		Resolution: "Set an expiration date on the vault key",
		Explanation: `Expiration Date is an optional Key Vault Key behavior and is not set by default.

Set when the resource will be become inactive.`,
		Links: []string{
			"https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnsureKeyExpiryGoodExamples,
			BadExamples:         terraformEnsureKeyExpiryBadExamples,
			Links:               terraformEnsureKeyExpiryLinks,
			RemediationMarkdown: terraformEnsureKeyExpiryRemediationMarkdown,
		},
		Severity: severity.Medium,
	},
	func(s *state.State) (results scan.Results) {
		for _, vault := range s.Azure.KeyVault.Vaults {
			for _, key := range vault.Keys {
				if key.ExpiryDate.IsNever() {
					results.Add(
						"Key should have an expiry date specified.",
						key.ExpiryDate,
					)
				} else {
					results.AddPassed(&key)
				}
			}
		}
		return
	},
)
View Source
var CheckEnsureSecretExpiry = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0017",
		Provider:   providers.AzureProvider,
		Service:    "keyvault",
		ShortCode:  "ensure-secret-expiry",
		Summary:    "Key Vault Secret should have an expiration date set",
		Impact:     "Long life secrets increase the opportunity for compromise",
		Resolution: "Set an expiry for secrets",
		Explanation: `Expiration Date is an optional Key Vault Secret behavior and is not set by default.

Set when the resource will be become inactive.`,
		Links: []string{
			"https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnsureSecretExpiryGoodExamples,
			BadExamples:         terraformEnsureSecretExpiryBadExamples,
			Links:               terraformEnsureSecretExpiryLinks,
			RemediationMarkdown: terraformEnsureSecretExpiryRemediationMarkdown,
		},
		Severity: severity.Low,
	},
	func(s *state.State) (results scan.Results) {
		for _, vault := range s.Azure.KeyVault.Vaults {
			for _, secret := range vault.Secrets {
				if secret.ExpiryDate.IsNever() {
					results.Add(
						"Secret should have an expiry date specified.",
						secret.ExpiryDate,
					)
				} else {
					results.AddPassed(&secret)
				}
			}
		}
		return
	},
)
View Source
var CheckNoPurge = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0016",
		Provider:   providers.AzureProvider,
		Service:    "keyvault",
		ShortCode:  "no-purge",
		Summary:    "Key vault should have purge protection enabled",
		Impact:     "Keys could be purged from the vault without protection",
		Resolution: "Enable purge protection for key vaults",
		Explanation: `Purge protection is an optional Key Vault behavior and is not enabled by default.

Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell.`,
		Links: []string{
			"https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoPurgeGoodExamples,
			BadExamples:         terraformNoPurgeBadExamples,
			Links:               terraformNoPurgeLinks,
			RemediationMarkdown: terraformNoPurgeRemediationMarkdown,
		},
		Severity: severity.Medium,
	},
	func(s *state.State) (results scan.Results) {
		for _, vault := range s.Azure.KeyVault.Vaults {
			if vault.Metadata.IsUnmanaged() {
				continue
			}
			if vault.EnablePurgeProtection.IsFalse() {
				results.Add(
					"Vault does not have purge protection enabled.",
					vault.EnablePurgeProtection,
				)
			} else if vault.EnablePurgeProtection.IsTrue() && (vault.SoftDeleteRetentionDays.LessThan(7) || vault.SoftDeleteRetentionDays.GreaterThan(90)) {
				results.Add(
					"Resource should have soft_delete_retention_days set between 7 and 90 days in order to enable purge protection.",
					vault.SoftDeleteRetentionDays,
				)
			} else {
				results.AddPassed(&vault)
			}
		}
		return
	},
)
View Source
var CheckSpecifyNetworkAcl = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0013",
		Provider:   providers.AzureProvider,
		Service:    "keyvault",
		ShortCode:  "specify-network-acl",
		Summary:    "Key vault should have the network acl block specified",
		Impact:     "Without a network ACL the key vault is freely accessible",
		Resolution: "Set a network ACL for the key vault",
		Explanation: `Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. 

The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.`,
		Links: []string{
			"https://docs.microsoft.com/en-us/azure/key-vault/general/network-security",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformSpecifyNetworkAclGoodExamples,
			BadExamples:         terraformSpecifyNetworkAclBadExamples,
			Links:               terraformSpecifyNetworkAclLinks,
			RemediationMarkdown: terraformSpecifyNetworkAclRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, vault := range s.Azure.KeyVault.Vaults {
			if vault.Metadata.IsUnmanaged() {
				continue
			}
			if vault.NetworkACLs.DefaultAction.NotEqualTo("Deny") {
				results.Add(
					"Vault network ACL does not block access by default.",
					vault.NetworkACLs.DefaultAction,
				)
			} else {
				results.AddPassed(&vault)
			}
		}
		return
	},
)

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL