Ensure Azure Cognitive Services enables Customer Managed Keys (CMKs) for encryption

Error: Azure Cognitive Services does not Customer Managed Keys (CMKs) for encryption

Bridgecrew Policy ID: BC_AZR_GENERAL_82
Checkov Check ID: CKV2_AZURE_22
Severity: LOW

Azure Cognitive Services does not Customer Managed Keys (CMKs) for encryption

Description

This policy identifies Cognitive Services which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your Cognitive Services data. It gives you full control over the encrypted data.

Runtime - Buildtime

Fix - Buildtime

Terraform

  • Resource: azurerm_cognitive_account_customer_managed_key
  • Argument: cognitive_account_id + key_vault_key_id
resource "azurerm_cognitive_account" "cognitive_account_good" {
  name                  = "example-account"
  location              = azurerm_resource_group.example.location
  resource_group_name   = azurerm_resource_group.example.name
  kind                  = "Face"
  sku_name              = "E0"
  public_network_access_enabled = false
}

resource "azurerm_key_vault" "good_vault" {
  name                     = "example-vault"
  location                 = azurerm_resource_group.example.location
  resource_group_name      = azurerm_resource_group.example.name
  tenant_id                = data.azurerm_client_config.current.tenant_id
  sku_name                 = "standard"
}

resource "azurerm_key_vault_key" "good_key" {
  name         = "example-key"
  key_vault_id = azurerm_key_vault.good_vault.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
}

resource "azurerm_cognitive_account_customer_managed_key" "good_cmk" {
  cognitive_account_id = azurerm_cognitive_account.cognitive_account_good.id
  key_vault_key_id     = azurerm_key_vault_key.good_key.id
}