Ensure Azure Cognitive Services enables Customer Managed Keys (CMKs) for encryption
Error: Azure Cognitive Services does not Customer Managed Keys (CMKs) for encryption
Bridgecrew Policy ID: BC_AZR_GENERAL_82
Checkov Check ID: CKV2_AZURE_22
Severity: LOW
Azure Cognitive Services does not Customer Managed Keys (CMKs) for encryption
Description
This policy identifies Cognitive Services which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your Cognitive Services data. It gives you full control over the encrypted data.
Runtime - Buildtime
Fix - Buildtime
Terraform
- Resource: azurerm_cognitive_account_customer_managed_key
- Argument: cognitive_account_id + key_vault_key_id
resource "azurerm_cognitive_account" "cognitive_account_good" {
name = "example-account"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
kind = "Face"
sku_name = "E0"
public_network_access_enabled = false
}
resource "azurerm_key_vault" "good_vault" {
name = "example-vault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
}
resource "azurerm_key_vault_key" "good_key" {
name = "example-key"
key_vault_id = azurerm_key_vault.good_vault.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
}
resource "azurerm_cognitive_account_customer_managed_key" "good_cmk" {
cognitive_account_id = azurerm_cognitive_account.cognitive_account_good.id
key_vault_key_id = azurerm_key_vault_key.good_key.id
}
Updated 4 months ago