Beta - Key Vault Without HSM Protection

• Query id: fbb8e5e0-6dea-41d3-8739-4f2405b0e22a
• Query name: Beta - Key Vault Without HSM Protection
• Platform: Terraform
• Severity: Low
• Category: Encryption
• CWE: 326
• Risk score: 1.0
• URL: Github

Description

Key Vaults should set key type to one that uses HSM for added security
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "azurerm_key_vault_key" "positive1" {
  name         = "positive1-certificate"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048
}

resource "azurerm_key_vault_key" "positive2" {
  name         = "positive2-certificate"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "EC"
  key_size     = 2048
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "azurerm_key_vault_key" "negative1" {
  name         = "negative1-certificate"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA-HSM"
  key_size     = 2048
}

resource "azurerm_key_vault_key" "negative2" {
  name         = "negative2-certificate"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "EC-HSM"
  key_size     = 2048
}