Storage account containing activity logs is not encrypted with customer-managed keys Affecting Storage service in Azure


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Azure
  • Snyk ID SNYK-CC-00692
  • credit Snyk Research Team

Description

Although storage accounts are encrypted by default with Microsoft-managed keys, customer-managed keys enable users to choose when to rotate their keys, and users can disable keys to prevent Azure from accessing their data.

How to fix?

Set the encryption.keySource attribute in Microsoft.Storage/storageAccounts resource to Microsoft.Keyvaultand set the storageAccountId attribute in Microsoft.Insights/logprofiles resource to an encrypted storage account.

Example Configuration

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2022-09-01",
            "name": "allowedstorage692",
            "location": "[resourceGroup().location]",
            "sku": {
                "name": "Standard_GRS"
            },
            "identity": {
                "type": "SystemAssigned"
            },
            "kind": "Storage"
        },
        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-06-01",
            "name": "addencryptionkey",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults/keys', 'example-keyvault-692', 'kv1')]"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [
                        {
                            "type": "Microsoft.Storage/storageAccounts",
                            "name": "allowedstorage692",
                            "apiVersion": "2022-09-01",
                            "location": "[resourceGroup().location]",
                            "sku": {
                                "name": "Standard_GRS"
                            },
                            "identity": {
                                "type": "SystemAssigned"
                            },
                            "kind": "Storage",
                            "properties": {
                                "encryption": {
                                    "keySource": "Microsoft.Keyvault",
                                    "keyvaultproperties": {
                                        "keyname": "kv1",
                                        "keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults', 'example-keyvault-692'), '2022-07-01', 'Full').properties.vaultUri]"
                                    }
                                }
                            }
                        }
                    ]
                }
            }
        },
        {
            "type": "Microsoft.Insights/logprofiles",
            "apiVersion": "2016-03-01",
            "name": "example-logs-692",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', 'allowedstorage692')]"
            ],
            "properties": {
                "categories": [
                    "Action",
                    "Delete",
                    "Write"
                ],
                "locations": [
                    "westus",
                    "global"
                ],
                "retentionPolicy": {
                    "days": 7,
                    "enabled": true
                },
                "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', 'allowedstorage692')]"
            }
        }
    ]
}