Ensure Azure Data Explorer encryption at rest uses a customer-managed key
Error: Azure Data Explorer encryption at rest does not use a customer-managed key
Bridgecrew Policy ID: BC_AZR_GENERAL_33
Checkov Check ID: CKV2_AZURE_11
Severity: LOW
Azure Data Explorer encryption at rest does not use a customer-managed key
Description
Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.
Fix - Buildtime
Terraform
- Resource: azurerm_kusto_cluster, azurerm_kusto_cluster_customer_managed_key
- Argument: cluster_id (of azurerm_kusto_cluster_customer_managed_key )
resource "azurerm_kusto_cluster" "cluster_ok" {
name = "kustocluster"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku {
name = "Standard_D13_v2"
capacity = 2
}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_kusto_cluster_customer_managed_key" "example" {
cluster_id = azurerm_kusto_cluster.cluster_ok.id
key_vault_id = azurerm_key_vault.example.id
key_name = azurerm_key_vault_key.example.name
key_version = azurerm_key_vault_key.example.version
}
Updated 12 months ago