Beta - Storage Account Without CMK
- Query id: 9bf1568d-4cd2-4581-81ef-d2efabee1178
- Query name: Beta - Storage Account Without CMK
- Platform: Terraform
- Severity: Medium
- Category: Encryption
- CWE: 522
- Risk score: 3.0
- URL: Github
Description¶
The 'azurerm_storage_account' resource should enable CMK encryption
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_storage_account" "positive1_1" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.positive1_1.name
location = azurerm_resource_group.positive1_1.location
account_tier = "Standard"
account_replication_type = "GRS"
# missing "customer_managed_key" block
}
resource "azurerm_monitor_diagnostic_setting" "positive1_1" {
name = "positive1_1"
target_resource_id = azurerm_subscription.positive1_1.id
storage_account_id = azurerm_storage_account.positive1_1.id
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_storage_account" "negative1" { # associated with "azurerm_storage_account_customer_managed_key" resource
name = "storageaccountname"
resource_group_name = azurerm_resource_group.negative1.name
location = azurerm_resource_group.negative1.location
account_tier = "Standard"
account_replication_type = "GRS"
}
resource "azurerm_monitor_diagnostic_setting" "negative1" {
name = "negative1"
target_resource_id = azurerm_subscription.negative1.id
storage_account_id = azurerm_storage_account.negative1.id
}
resource "azurerm_storage_account_customer_managed_key" "negative1" {
storage_account_id = azurerm_storage_account.negative1.id
key_vault_id = azurerm_key_vault.negative1.id
key_name = azurerm_key_vault_key.negative1.name
}
Negative test num. 2 - tf file
resource "azurerm_storage_account" "negative2_1" { # sets "customer_managed_key" field
name = "storageaccountname"
resource_group_name = azurerm_resource_group.negative2_1.name
location = azurerm_resource_group.negative2_1.location
account_tier = "Standard"
account_replication_type = "GRS"
customer_managed_key {
key_vault_key_id = azurerm_key_vault_key.example.id
user_assigned_identity_id = azurerm_user_assigned_identity.example.id
}
}
resource "azurerm_monitor_diagnostic_setting" "negative2_1" {
name = "negative2_1"
target_resource_id = azurerm_subscription.negative2_1.id
storage_account_id = azurerm_storage_account.negative2_1.id
}
Negative test num. 3 - tf file
resource "azurerm_storage_account" "negative3" { # missing associated "azurerm_monitor_diagnostic_setting"
name = "storageaccountname"
resource_group_name = azurerm_resource_group.negative3.name
location = azurerm_resource_group.negative3.location
account_tier = "Standard"
account_replication_type = "GRS"
}
Negative test num. 4 - tf file
resource "azurerm_storage_account" "negative4" { # associated with "azurerm_storage_account_customer_managed_key" resource
name = "storageaccountname"
resource_group_name = azurerm_resource_group.negative4.name
location = azurerm_resource_group.negative4.location
account_tier = "Standard"
account_replication_type = "GRS"
customer_managed_key {
key_vault_key_id = azurerm_key_vault_key.example.id
user_assigned_identity_id = azurerm_user_assigned_identity.example.id
}
}
resource "azurerm_monitor_diagnostic_setting" "negative4" {
name = "negative4"
target_resource_id = azurerm_subscription.negative4.id
storage_account_id = azurerm_storage_account.negative4.id
}
resource "azurerm_storage_account_customer_managed_key" "negative4" {
storage_account_id = azurerm_storage_account.negative4.id
key_vault_id = azurerm_key_vault.negative4.id
key_name = azurerm_key_vault_key.negative4.name
}