Ensure Cognitive Services account encryption CMKs are enabled

Error: Cognitive Services account encryption CMKs are disabled

Bridgecrew Policy ID: BC_AZR_STORAGE_3
Checkov Check ID: CKV2_AZURE_22
Severity: LOW

Azure Cognitive Services account encryption CMKs are disabled


By default, all data at rest in an Azure Cognitive Services account is encrypted using Microsoft Managed Keys. It is recommended to use Customer Managed Keys to encrypt data in Azure Cognitive Services accounts for better control of the data access.

Fix - Buildtime


  • Resource: azurerm_cognitive_account, azurerm_cognitive_account_customer_managed_key, azurerm_key_vault, azurerm_key_vault_key
data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "example" {
  name                = "examplekv"
  location            = "location"
  resource_group_name = "group"
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  purge_protection_enabled = true

resource "azurerm_key_vault_key" "example" {
  name         = "tfex-key"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]

resource "azurerm_cognitive_account" "cognitive_account_good" {
  name                     = "example-account"
  resource_group_name      = "group"
  location                 = "location"
  kind                     = "Face"
  sku_name                 = "E0"

resource "azurerm_cognitive_account_customer_managed_key" "good_cmk" {
  cognitive_account_id = azurerm_storage_account.cognitive_account_good.id
  key_vault_id       = azurerm_key_vault.example.id
  key_name           = azurerm_key_vault_key.example.name