Homepage

Storage account for critical data is not encrypted with customer managed keys Affecting Storage service in Azure

Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Data/ Encryption at Rest

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
CIS-Azure
  • Snyk IDSNYK-CC-00691
  • creditSnyk Research Team
Report a new misconfiguration Found a mistake?

Description

Although storage accounts are encrypted by default with Microsoft-managed keys, customer-managed keys allow users to choose when to rotate their keys per compliance and security requirements, and provide users with a means to prevent Azure from accessing their data by disabling keys.

How to fix?

Set the encryption.keySource attribute in Microsoft.Storage/storageAccounts resource to Microsoft.Keyvault, set the encryption.keyvaultproperties.keyvaulturi attribute in Microsoft.Storage/storageAccounts resource to the valid keyvaulturi.

Example Configuration

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2022-09-01",
            "name": "allowedstorage691",
            "location": "[resourceGroup().location]",
            "sku": {
                "name": "Standard_GRS"
            },
            "identity": {
                "type": "SystemAssigned"
            },
            "kind": "Storage"
        },
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-06-01",
            "name": "addencryptionkey",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults/keys', 'example-keyvault691', 'kv1')]"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [
                        {
                            "type": "Microsoft.Storage/storageAccounts",
                            "name": "allowedstorage691",
                            "apiVersion": "2022-09-01",
                            "location": "[resourceGroup().location]",
                            "sku": {
                                "name": "Standard_GRS"
                            },
                            "identity": {
                                "type": "SystemAssigned"
                            },
                            "kind": "Storage",
                            "properties": {
                                "encryption": {
                                    "keySource": "Microsoft.Keyvault",
                                    "keyvaultproperties": {
                                        "keyname": "kv1",
                                        "keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults', 'example-keyvault691'), '2022-07-01', 'Full').properties.vaultUri]"
                                    }
                                }
                            }
                        }
                    ]
                }
            }
        }
    ]
}