nccgroup · ncc-akis · Jun 29, 2023 · Jul 3, 2023 · Jul 3, 2023 · Jul 3, 2023
diff --git a/ScoutSuite/output/data/html/partials/azure/services.keyvault.subscriptions.id.vaults.html b/ScoutSuite/output/data/html/partials/azure/services.keyvault.subscriptions.id.vaults.html
@@ -8,6 +8,7 @@ <h4 class="list-group-item-heading">Information</h4>
         <div class="list-group-item-text item-margin">ID: <span id="keyvault.subscriptions.{{@../key}}.vaults.{{@key}}.id"><samp>{{ id }}</samp></span></div>
         <div class="list-group-item-text item-margin">Location: <span id="keyvault.subscriptions.{{@../key}}.vaults.{{@key}}.location"><samp>{{value_or_none location}}</samp></span></div>
         <div class="list-group-item-text item-margin">Public Access: <span id="keyvault.subscriptions.{{@../key}}.vaults.{{@key}}.public_access_allowed">{{ convert_bool_to_enabled public_access_allowed }}</span></div>
+        <div class="list-group-item-text item-margin">Approved Private Endpoints: <span id="keyvault.subscriptions.{{@../key}}.vaults.{{@key}}.private_endpoint_connections">{{ private_endpoint_connections.length }}</span></div>
         <div class="list-group-item-text item-margin">Vault Recoverable: <span id="keyvault.subscriptions.{{@../key}}.vaults.{{@key}}.recovery_protection_enabled">{{ recovery_protection_enabled }}</span></div>
         <div class="list-group-item-text item-margin">RBAC Permission Model: <span id="keyvault.subscriptions.{{@../key}}.vaults.{{@key}}.rbac_authorization_enabled">{{ convert_bool_to_enabled rbac_authorization_enabled }}</span></div>
         <div class="list-group-item-text item-margin">Tags:

diff --git a/ScoutSuite/providers/azure/resources/keyvault/vaults.py b/ScoutSuite/providers/azure/resources/keyvault/vaults.py
@@ -34,7 +34,14 @@
                                              bool(raw_vault.properties.enable_purge_protection)
         vault['public_access_allowed'] = self._is_public_access_allowed(raw_vault)
         vault['rbac_authorization_enabled'] = raw_vault.properties.enable_rbac_authorization
+        vault['private_endpoint_connections'] = self._get_private_endpoint_connections(raw_vault)
         return vault['id'], vault
 
     def _is_public_access_allowed(self, raw_vault):
         return raw_vault.properties.network_acls is None or raw_vault.properties.network_acls.default_action == 'Allow'
+
+    def _get_private_endpoint_connections(self, raw_vault):
+        private_endpoint_connections = getattr(raw_vault.properties, "private_endpoint_connections", None)
+        if not private_endpoint_connections:
+            return []
+        return [pe.private_endpoint.id for pe in private_endpoint_connections if pe.private_link_service_connection_state.status == 'Approved']
diff --git a/ScoutSuite/providers/azure/rules/findings/keyvault-private-endpoints-not-used.json b/ScoutSuite/providers/azure/rules/findings/keyvault-private-endpoints-not-used.json
@@ -0,0 +1,27 @@
+{
+    "description": "Key Vaults Not Using Private Endpoint Connections",
+    "rationale": "Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.",
+    "remediation": "In the Azure console: <ol> <li>Go to <samp>Key Vaults</samp></li> <li>For each key vault, click on the settings menu called <samp>Networking</samp>.</li><li>Go to the tab named <samp>Private Endpoint Connections</samp>.</li> <li>Ensure that a private endpoint entry exists corresponding each Virtual Network that contains resources requiring access to the Key Vault resource.</li> <li>Click <samp>Save</samp> to apply your changes.</li> </ol>",
+    "compliance": [
+        {
+            "name": "CIS Microsoft Azure Foundations",
+            "version": "2.0.0",
+            "reference": "8.7"
+        }
+    ],
+    "references": [
+        "https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service",
+        "https://learn.microsoft.com/en-gb/security/benchmark/azure/baselines/key-vault-security-baseline?context=%2Fazure%2Fkey-vault%2Fgeneral%2Fcontext%2Fcontext#ns-2-secure-cloud-services-with-network-controls"
+    ],
+    "dashboard_name": "Key Vaults",
+    "path": "keyvault.subscriptions.id.vaults.id",
+    "conditions": [
+        "and",
+        [
+            "keyvault.subscriptions.id.vaults.id.private_endpoint_connections",
+            "empty",
+            ""
+        ]
+    ],
+    "id_suffix": "private_endpoint_connections"
+}
diff --git a/ScoutSuite/providers/azure/rules/rulesets/default.json b/ScoutSuite/providers/azure/rules/rulesets/default.json
@@ -91,6 +91,12 @@
                 "level": "warning"
             }
         ],
+        "keyvault-private-endpoints-not-used.json": [
+            {
+                "enabled": true,
+                "level": "warning"
+            }
+        ],
         "keyvault-public-traffic-allowed.json": [
             {
                 "enabled": true,