azure-app-tier-cmk-untagged: Customer-Managed Key Not Tagged in Azure App Tier

日期: 2025-08-01 | 影响软件: Azure App Tier Cmk Untagged | POC: 已公开

漏洞描述

Ensure that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure application tier to meet cloud security and compliance requirements. The conformity rule assumes all Azure cloud resources in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>. The tag set for your Azure application tier must be pre-configured in the Cloud Conformity console.

PoC代码[已公开]

id: azure-app-tier-cmk-untagged
info:
  name: Customer-Managed Key Not Tagged in Azure App Tier
  author: princechaddha
  severity: high
  description: |
    Ensure that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure application tier to meet cloud security and compliance requirements. The conformity rule assumes all Azure cloud resources in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>. The tag set for your Azure application tier must be pre-configured in the Cloud Conformity console.
  impact: |
    Not using properly tagged CMKs may lead to non-compliance with security standards and make cloud resources difficult to manage and audit.
  remediation: |
    Ensure all Customer-Managed Keys used in the application tier are properly tagged according to organizational policies. Update the key's metadata through the Azure portal or Azure CLI.
  reference:
    - https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys-details
  tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config

flow: |
  code(1);
  for (let vaultName of iterate(template.vaultNames)) {
    set("vaultName", vaultName)
    code(2);
    for (let keyId of iterate(template.keyIds)) {
      set("keyId", keyId)
      code(3)
    }
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az keyvault list --query '[*].name' --output json

    extractors:
      - type: json
        name: vaultNames
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az keyvault key list --vault-name $vaultName --query '[?(attributes.enabled==`true`)].kid' --output json

    extractors:
      - type: json
        name: keyIds
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az keyvault key show --id $keyId --query 'tags' --output json

    matchers:
      - type: word
        words:
          - '{}'

    extractors:
      - type: dsl
        dsl:
          - 'vaultName + " CMK " + keyId + " is not properly tagged as part of the app-tier resource"'
# digest: 490a004630440220569cd95798e47c183ab44f75a846703ea0c3e9a6f9295809da50faa4bf400302022061aa5ba50dfd36eb233af955be3f2eb315207a2094c03cb7dac560acfd1a8c6b:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/keyvault/azure-app-tier-cmk-untagged.yaml