azure-sql-mi-tde-cmk-not-enabled: Azure SQL MI TDE Not Using Customer-Managed Keys

日期: 2025-08-01 | 影响软件: Azure SQL MI | POC: 已公开

漏洞描述

Ensure that Transparent Data Encryption (TDE) with Customer-Managed Keys (CMKs) is enabled for your Microsoft Azure SQL managed instances. The TDE protector configured for your Azure SQL managed instances must be encrypted with a Customer-Managed Key in order to protect your managed SQL databases with a key from your own Azure key vault. This enables you to have full control over the encryption and decryption process and meet strict compliance requirements.

PoC代码[已公开]

id: azure-sql-mi-tde-cmk-not-enabled
info:
  name: Azure SQL MI TDE Not Using Customer-Managed Keys
  author: princechaddha
  severity: medium
  description: |
    Ensure that Transparent Data Encryption (TDE) with Customer-Managed Keys (CMKs) is enabled for your Microsoft Azure SQL managed instances. The TDE protector configured for your Azure SQL managed instances must be encrypted with a Customer-Managed Key in order to protect your managed SQL databases with a key from your own Azure key vault. This enables you to have full control over the encryption and decryption process and meet strict compliance requirements.
  impact: |
    Not using Customer-Managed Keys for Transparent Data Encryption can compromise data security by relying on less controlled service-managed keys and potentially fail to meet compliance requirements.
  remediation: |
    Configure Transparent Data Encryption to use Customer-Managed Keys by setting the TDE protector to use a key from your Azure key vault for your SQL managed instances.
  reference:
    - https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview
  tags: cloud,devops,azure,microsoft,sql-managed-instance,azure-cloud-config

flow: |
  code(1);
  for (let SQLMI of iterate(template.sqlManagedInstanceList)) {
    set("ids", SQLMI);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az sql mi list --query '[*].{"id":id}'

    extractors:
      - type: json
        name: sqlManagedInstanceList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az sql mi tde-key show --ids "$ids" --query 'serverKeyType'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"ServiceManaged"'

    extractors:
      - type: dsl
        dsl:
          - 'ids + " is using a service-managed key for TDE, not a CMK"'
# digest: 490a00463044022038d91d0a95fa1355a1c032c403dae82aad4c38de8f7949e96be2840be0b479f202206988d3179e518607544a93433cd0606580437539ca57593318edb506b505cc0c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/sql/azure-sql-mi-tde-cmk-not-enabled.yaml