Homepage

SQL server TDE protector is not encrypted with a Key Vault customer-managed key Affecting Database service in Azure

Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Data/ Encryption at Rest

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
CIS-Azure
  • Snyk IDSNYK-CC-00703
  • creditSnyk Research Team
Report a new misconfiguration Found a mistake?

Description

With TDE, data is encrypted at rest with a symmetric data encryption key. Using Azure Key Vault customer-managed keys allows users to have additional control over TDE encryption keys, and restricts who can access them and when.

How to fix?

Set the serverKeyType attribute in Microsoft.Sql/servers/encryptionProtector resource to AzureKeyVault, set the serverKeyName attribute in Microsoft.Sql/servers/encryptionProtectorresource to a name of Microsoft.Sql/servers/keys resource.

Example Configuration

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2022-05-01-preview",
            "name": "allowed-1",
            "location": "[resourceGroup().location]",
            "tags": {
                "environment": "production"
            },
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "administratorLogin": "mradministrator",
                "administratorLoginPassword": "thisIsDog11",
                "version": "12.0"
            }
        },
        {
            "type": "Microsoft.Sql/servers/keys",
            "apiVersion": "2022-05-01-preview",
            "name": "allowed-1/example-keyvault703_kv1_48f8f7aaf25a48b5adf181d1b7457d48",
            "dependsOn": [
                "[resourceId('Microsoft.Sql/servers', 'allowed-1')]",
                "[resourceId('Microsoft.KeyVault/vaults/keys', 'example-keyvault703', 'kv1')]"
            ],
            "properties": {
                "serverKeyType": "AzureKeyVault",
                "uri": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', 'example-keyvault703', 'kv1'), '2022-07-01', 'Full').properties.keyUriWithVersion]"
            }
        },
        {
            "type": "Microsoft.Sql/servers/encryptionProtector",
            "apiVersion": "2022-05-01-preview",
            "name": "allowed-1/current",
            "dependsOn": [
                "[resourceId('Microsoft.Sql/servers', 'allowed-1')]",
                "[resourceId('Microsoft.Sql/servers/keys', 'allowed-1', 'example-keyvault703_kv1_48f8f7aaf25a48b5adf181d1b7457d48')]"
            ],
            "properties": {
                "autoRotationEnabled": "true",
                "serverKeyName": "example-keyvault703_kv1_48f8f7aaf25a48b5adf181d1b7457d48",
                "serverKeyType": "AzureKeyVault"
            }
        },
    ]
}