Storage for critical data not encrypted with Customer Managed Key

ID

storage_critical_data_encrypted_cmk

Severity

critical

Vendor

Azure

Resource

Azure Key Vault

Tags

reachable

Description

Storage for critical data are not encrypted with Customer Managed Key (CMK).

By default, data in the storage account is encrypted using Microsoft Managed Keys at rest.

Instead of the default, it is recommended to use Customer Managed Key, whose difference is that the keys are provided by the customer and stored in a customer managed key vault rather than a Microsoft managed key store.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-04-01",
      "name": "bad", (1)
      "location": "[parameters('location')]",
      "properties": {
        "encryption": {
          "identity": {
            "userAssignedIdentity": "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/','storageIdentity')]"
          }
        }
      }
    }
  ]
}
1 is a storage account not using CMK.

Terraform

# FLAW, no CMK associated with this storage account.
resource "azurerm_storage_account" "my_st_account" {
  name                     = "stor"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  identity {
    type = "SystemAssigned"
  }
}

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-04-01",
      "name": "good", (1)
      "location": "[parameters('location')]",
      "properties": {
        "encryption": {
          "identity": {
            "userAssignedIdentity": "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/','storageIdentity')]"
          },
          "keyvaultproperties": {
            "keyvaulturi": "[concat('https://', parameters('vaultName'), '.vault.azure.net')]",
            "keyname": "storagekey"
          }
        }
      }
    }
  ]
}
1 is a storage account using CMK.

Terraform

resource "azurerm_storage_account" "my_st_account" {
  name                     = "stor"
  # ... same as before ...
}

resource "azurerm_storage_account_customer_managed_key" "ok_cmk" {
  storage_account_id = azurerm_storage_account.my_st_account.id (1)
  key_vault_id       = azurerm_key_vault.example.id
  key_name           = azurerm_key_vault_key.example.name
}
1 Fixed, custom key instead of Microsoft-provided for encryption at rest.