Severity Framework
Snyk CCSS
Rule category
Data / Encryption at Rest
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Azure
- Snyk ID SNYK-CC-00692
- credit Snyk Research Team
Description
Although storage accounts are encrypted by default with Microsoft-managed keys, customer-managed keys enable users to choose when to rotate their keys, and users can disable keys to prevent Azure from accessing their data.
How to fix?
Set the encryption.keySource attribute in Microsoft.Storage/storageAccounts resource to Microsoft.Keyvaultand set the storageAccountId attribute in Microsoft.Insights/logprofiles resource to an encrypted storage account.
Example Configuration
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "allowedstorage692",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_GRS"
},
"identity": {
"type": "SystemAssigned"
},
"kind": "Storage"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "addencryptionkey",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/keys', 'example-keyvault-692', 'kv1')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "allowedstorage692",
"apiVersion": "2022-09-01",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_GRS"
},
"identity": {
"type": "SystemAssigned"
},
"kind": "Storage",
"properties": {
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyname": "kv1",
"keyvaulturi": "[reference(resourceId('Microsoft.KeyVault/vaults', 'example-keyvault-692'), '2022-07-01', 'Full').properties.vaultUri]"
}
}
}
}
]
}
}
},
{
"type": "Microsoft.Insights/logprofiles",
"apiVersion": "2016-03-01",
"name": "example-logs-692",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', 'allowedstorage692')]"
],
"properties": {
"categories": [
"Action",
"Delete",
"Write"
],
"locations": [
"westus",
"global"
],
"retentionPolicy": {
"days": 7,
"enabled": true
},
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', 'allowedstorage692')]"
}
}
]
}