54 lines
1.9 KiB
YAML
54 lines
1.9 KiB
YAML
id: azure-storage-byok-not-used
|
|
info:
|
|
name: Azure Storage Account Not Using BYOK
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
Ensure that your Azure Storage accounts are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for data encryption), in order to have a more granular control over your Azure Storage data encryption and decryption process.
|
|
impact: |
|
|
Not using BYOK for data encryption in Azure Storage accounts can limit your control over the encryption keys and may not comply with certain regulatory requirements.
|
|
remediation: |
|
|
Configure your Azure Storage accounts to use customer-managed keys (BYOK) for data encryption to ensure compliance and enhanced security.
|
|
reference:
|
|
- https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-manage
|
|
tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let StorageData of iterate(template.storageList)) {
|
|
StorageData = JSON.parse(StorageData);
|
|
set("name", StorageData.Name);
|
|
code(2);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az storage account list --query '[*].{"Name":name}'
|
|
|
|
extractors:
|
|
- type: json
|
|
name: storageList
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az storage account show --name "$name" --query 'encryption.keyVaultProperties.keyName' --output json
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- ''
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'name + " Storage Account is not using BYOK"'
|
|
# digest: 4a0a00473045022100935dd43fa8ef393577305ac9600edb1cea56d1bde7b78e88700a0620e7c9f303022018958d6a576e63c7a95c5dd6f6cbf726925ae989c1da64012061c977f844e05d:922c64590222798bb761d5b6d8e72950 |