Control: Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.07 - Ensure that Public Network Access when using Private Endpoint is disabled

Configures auditing against a CIS Benchmark item.

Level: 2

When Private endpoint is configured on a Key Vault, connections from Azure resources within the same subnet will use its private IP address. However, network traffic from the public internet can still connect to the Key Vault's public endpoint using its public IP address unless Public network access is set to Disabled.

Setting the Public network access to Disabled with a Private Endpoint will remove the Vault's public endpoint from Azure public DNS, reducing its exposure to the public internet.

Removing a point of interconnection from the internet edge to your Key Vault can strengthen the network security boundary of your system and reduce the risk of exposing the control plane or vault objects to untrusted clients.

Although Azure resources are never truly isolated from the public internet, disabling the public endpoint removes a line of sight from the public internet and increases the effort required for an attack.

By default, Access control in Key Vaults is Vault Policy.

Resource Types

This control targets the following resource types:

Azure > Key Vault > Vault

Policies

This control type relies on these other policies when running actions:

In Your Workspace

Developers

Control Type URI

tmod:@turbot/azure-cisv4-0#/control/types/r090307

Category URI

tmod:@turbot/cis#/control/categories/v071406

GraphQL

query controlType(id: "tmod:@turbot/azure-cisv4-0#/control/types/r090307") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/azure-cisv4-0#/control/types/r090307'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv4-0#/control/types/r090307"