Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys (i.e., default keys used by Microsoft Azure for data encryption), in order to have more granular control over your Azure Storage data encryption and decryption process.
PoC代码[已公开]
id: azure-storage-cmk-not-used
info:
name: Azure Storage Account Not Using CMK
author: princechaddha
severity: high
description: |
Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys (i.e., default keys used by Microsoft Azure for data encryption), in order to have more granular control over your Azure Storage data encryption and decryption process.
impact: |
Not using Customer Managed Keys can limit your control over data encryption and decryption processes, potentially leading to security vulnerabilities.
remediation: |
Configure your Azure Storage accounts to use Customer Managed Keys for data encryption to enhance security and control.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-manage?tabs=portal
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
flow: |
code(1);
for (let accountData of iterate(template.accountList)) {
accountData = JSON.parse(accountData);
set("name", accountData.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: accountList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --name "$name" --query 'encryption.keyVaultProperties.keyName'
matchers:
- type: word
words:
- ''
extractors:
- type: dsl
dsl:
- '"Storage account " + name + " is not using CMKs for encryption"'
# digest: 4b0a00483046022100da77e67ad93462bef304f54f2367ef2cd32d05e7ce99b37762f97f1efae8de860221008dfa2f250c5eb66d8cd45d1321c69bc74a83d604a11750d252cf9a5ee11e3925:922c64590222798bb761d5b6d8e72950