Severity Framework
Snyk CCSS
Rule category
Data / Encryption at Rest
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Azure
- Snyk ID SNYK-CC-00691
- credit Snyk Research Team
Description
Although storage accounts are encrypted by default with Microsoft-managed keys, customer-managed keys allow users to choose when to rotate their keys per compliance and security requirements, and provide users with a means to prevent Azure from accessing their data by disabling keys.
How to fix?
Set the encryption.keySource attribute in Microsoft.Storage/storageAccounts resource to Microsoft.Keyvault, set the encryption.keyvaultproperties.keyvaulturi attribute in Microsoft.Storage/storageAccounts resource to the valid keyvaulturi.
Example Configuration
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "allowedstorage691",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_GRS"
},
"identity": {
"type": "SystemAssigned"
},
"kind": "Storage"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "addencryptionkey",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/keys', 'example-keyvault691', 'kv1')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "allowedstorage691",
"apiVersion": "2022-09-01",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_GRS"
},
"identity": {
"type": "SystemAssigned"
},
"kind": "Storage",
"properties": {
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyname": "kv1",
"keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults', 'example-keyvault691'), '2022-07-01', 'Full').properties.vaultUri]"
}
}
}
}
]
}
}
}
]
}