Severity Framework
Snyk CCSS
Rule category
Data / Encryption at Rest
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Azure
- Snyk ID SNYK-CC-00703
- credit Snyk Research Team
Description
With TDE, data is encrypted at rest with a symmetric data encryption key. Using Azure Key Vault customer-managed keys allows users to have additional control over TDE encryption keys, and restricts who can access them and when.
How to fix?
Set the serverKeyType
attribute in Microsoft.Sql/servers/encryptionProtector
resource to AzureKeyVault
, set the serverKeyName
attribute in Microsoft.Sql/servers/encryptionProtector
resource to a name of Microsoft.Sql/servers/keys
resource.
Example Configuration
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2022-05-01-preview",
"name": "allowed-1",
"location": "[resourceGroup().location]",
"tags": {
"environment": "production"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"administratorLogin": "mradministrator",
"administratorLoginPassword": "thisIsDog11",
"version": "12.0"
}
},
{
"type": "Microsoft.Sql/servers/keys",
"apiVersion": "2022-05-01-preview",
"name": "allowed-1/example-keyvault703_kv1_48f8f7aaf25a48b5adf181d1b7457d48",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', 'allowed-1')]",
"[resourceId('Microsoft.KeyVault/vaults/keys', 'example-keyvault703', 'kv1')]"
],
"properties": {
"serverKeyType": "AzureKeyVault",
"uri": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', 'example-keyvault703', 'kv1'), '2022-07-01', 'Full').properties.keyUriWithVersion]"
}
},
{
"type": "Microsoft.Sql/servers/encryptionProtector",
"apiVersion": "2022-05-01-preview",
"name": "allowed-1/current",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', 'allowed-1')]",
"[resourceId('Microsoft.Sql/servers/keys', 'allowed-1', 'example-keyvault703_kv1_48f8f7aaf25a48b5adf181d1b7457d48')]"
],
"properties": {
"autoRotationEnabled": "true",
"serverKeyName": "example-keyvault703_kv1_48f8f7aaf25a48b5adf181d1b7457d48",
"serverKeyType": "AzureKeyVault"
}
},
]
}