Ensure Cognitive Services account encryption CMKs are enabled
Error: Cognitive Services account encryption CMKs are disabled
Bridgecrew Policy ID: BC_AZR_STORAGE_3
Checkov Check ID: CKV2_AZURE_22
Severity: LOW
Azure Cognitive Services account encryption CMKs are disabled
Description
By default, all data at rest in an Azure Cognitive Services account is encrypted using Microsoft Managed Keys. It is recommended to use Customer Managed Keys to encrypt data in Azure Cognitive Services accounts for better control of the data access.
Fix - Buildtime
Terraform
- Resource: azurerm_cognitive_account, azurerm_cognitive_account_customer_managed_key, azurerm_key_vault, azurerm_key_vault_key
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "examplekv"
location = "location"
resource_group_name = "group"
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = true
}
resource "azurerm_key_vault_key" "example" {
name = "tfex-key"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
}
resource "azurerm_cognitive_account" "cognitive_account_good" {
name = "example-account"
resource_group_name = "group"
location = "location"
kind = "Face"
sku_name = "E0"
}
resource "azurerm_cognitive_account_customer_managed_key" "good_cmk" {
cognitive_account_id = azurerm_storage_account.cognitive_account_good.id
key_vault_id = azurerm_key_vault.example.id
key_name = azurerm_key_vault_key.example.name
}
Updated over 1 year ago