Ensure Azure Cognitive Services enables Customer Managed Keys (CMKs) for encryption

Error: Azure Cognitive Services does not Customer Managed Keys (CMKs) for encryption

Bridgecrew Policy ID: BC_AZR_GENERAL_82
Checkov Check ID: CKV2_AZURE_22
Severity: LOW

Azure Cognitive Services does not Customer Managed Keys (CMKs) for encryption

Description

This policy identifies Cognitive Services which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your Cognitive Services data. It gives you full control over the encrypted data.

Runtime - Buildtime

Fix - Buildtime

Terraform

Resource: azurerm_cognitive_account_customer_managed_key
Argument: cognitive_account_id + key_vault_key_id

resource "azurerm_cognitive_account" "cognitive_account_good" {
  name                  = "example-account"
  location              = azurerm_resource_group.example.location
  resource_group_name   = azurerm_resource_group.example.name
  kind                  = "Face"
  sku_name              = "E0"
  public_network_access_enabled = false
}

resource "azurerm_key_vault" "good_vault" {
  name                     = "example-vault"
  location                 = azurerm_resource_group.example.location
  resource_group_name      = azurerm_resource_group.example.name
  tenant_id                = data.azurerm_client_config.current.tenant_id
  sku_name                 = "standard"
}

resource "azurerm_key_vault_key" "good_key" {
  name         = "example-key"
  key_vault_id = azurerm_key_vault.good_vault.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
}

resource "azurerm_cognitive_account_customer_managed_key" "good_cmk" {
  cognitive_account_id = azurerm_cognitive_account.cognitive_account_good.id
  key_vault_key_id     = azurerm_key_vault_key.good_key.id
}

Updated 10 months ago