54 lines
1.9 KiB
YAML
54 lines
1.9 KiB
YAML
id: azure-storage-encryption-missing
|
|
info:
|
|
name: Azure Storage Infrastructure Encryption Not Enabled
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
Ensure that Infrastructure Encryption feature is enabled for your Azure Storage accounts in order to use encryption at the hardware level on top of the default software encryption provided by Microsoft Azure cloud.
|
|
impact: |
|
|
Without Infrastructure Encryption, your data may be exposed to higher risks, as it lacks the additional hardware level security layer which complements the default software-based encryption.
|
|
remediation: |
|
|
Enable Infrastructure Encryption on your Azure Storage accounts to ensure data is encrypted at both software and hardware levels, enhancing the security posture.
|
|
reference:
|
|
- https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
|
|
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let StorageData of iterate(template.storageList)) {
|
|
set("name", StorageData);
|
|
code(2);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az storage account list --query '[*].name'
|
|
|
|
extractors:
|
|
- type: json
|
|
name: storageList
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
az storage account show --name "$name" --query '{"requireInfrastructureEncryption":encryption.requireInfrastructureEncryption}'
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- '"requireInfrastructureEncryption": null'
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'name + " does not have Infrastructure Encryption enabled"'
|
|
# digest: 4b0a0048304602210083f335ae422b70ed21eff3e41b433a6aa633854262270adebf7d887a1d7c77aa022100bfc1fd03bba721ff403c1b19d68bc6bb65aa321dbe7f82310316d70bf61e3612:922c64590222798bb761d5b6d8e72950 |