id: azure-storage-byok-not-used
info:
  name: Azure Storage Account Not Using BYOK
  author: princechaddha
  severity: high
  description: |
    Ensure that your Azure Storage accounts are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for data encryption), in order to have a more granular control over your Azure Storage data encryption and decryption process.
  impact: |
    Not using BYOK for data encryption in Azure Storage accounts can limit your control over the encryption keys and may not comply with certain regulatory requirements.
  remediation: |
    Configure your Azure Storage accounts to use customer-managed keys (BYOK) for data encryption to ensure compliance and enhanced security.
  reference:
    - https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-manage
  tags: cloud,devops,azure,microsoft,storage,azure-cloud-config

flow: |
  code(1);
  for (let StorageData of iterate(template.storageList)) {
    StorageData = JSON.parse(StorageData);
    set("name", StorageData.Name);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az storage account list --query '[*].{"Name":name}'

    extractors:
      - type: json
        name: storageList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az storage account show --name "$name" --query 'encryption.keyVaultProperties.keyName' --output json

    matchers:
      - type: word
        words:
          - ''

    extractors:
      - type: dsl
        dsl:
          - 'name + " Storage Account is not using BYOK"'
# digest: 4a0a00473045022100935dd43fa8ef393577305ac9600edb1cea56d1bde7b78e88700a0620e7c9f303022018958d6a576e63c7a95c5dd6f6cbf726925ae989c1da64012061c977f844e05d:922c64590222798bb761d5b6d8e72950