CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00692
- creditSnyk Research Team
Description
Although storage accounts are encrypted by default with Microsoft-managed keys, customer-managed keys enable users to choose when to rotate their keys, and users can disable keys to prevent Azure from accessing their data.
How to fix?
Set the encryption.keySource attribute in Microsoft.Storage/storageAccounts resource to Microsoft.Keyvaultand set the storageAccountId attribute in Microsoft.Insights/logprofiles resource to an encrypted storage account.
Example configuration:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "allowedstorage692",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_GRS"
},
"identity": {
"type": "SystemAssigned"
},
"kind": "Storage"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "addencryptionkey",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/keys', 'example-keyvault-692', 'kv1')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "allowedstorage692",
"apiVersion": "2022-09-01",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_GRS"
},
"identity": {
"type": "SystemAssigned"
},
"kind": "Storage",
"properties": {
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyname": "kv1",
"keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults', 'example-keyvault-692'), '2022-07-01', 'Full').properties.vaultUri]"
}
}
}
}
]
}
}
},
{
"type": "Microsoft.Insights/logprofiles",
"apiVersion": "2016-03-01",
"name": "example-logs-692",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', 'allowedstorage692')]"
],
"properties": {
"categories": [
"Action",
"Delete",
"Write"
],
"locations": [
"westus",
"global"
],
"retentionPolicy": {
"days": 7,
"enabled": true
},
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', 'allowedstorage692')]"
}
}
]
}
Set the azurerm_storage_account_customer_managed_key storage_account_id attribute to the ID of the storage account containing activity logs.
A storage account contains activity logs if it is referenced in the azurerm_monitor_log_profile storage_account_id attribute.
Example configuration:
resource "azurerm_storage_account" "allowed1" {
name = "saforexample692"
resource_group_name = azurerm_resource_group.example692.name
location = azurerm_resource_group.example692.location
account_tier = "Standard"
account_replication_type = "GRS"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_storage_account_customer_managed_key" "allowed1" {
storage_account_id = azurerm_storage_account.allowed1.id
key_vault_id = azurerm_key_vault.example692.id
key_name = azurerm_key_vault_key.example692.name
}
resource "azurerm_monitor_log_profile" "allowed1" {
name = "example692amlp"
categories = [
"Action",
"Delete",
"Write",
]
locations = [
"westus",
"global",
]
storage_account_id = azurerm_storage_account.allowed1.id
retention_policy {
enabled = true
days = 7
}
}