Ensure Azure Data Explorer encryption at rest uses a customer-managed key

Error: Azure Data Explorer encryption at rest does not use a customer-managed key

Bridgecrew Policy ID: BC_AZR_GENERAL_33
Checkov Check ID: CKV2_AZURE_11
Severity: LOW

Azure Data Explorer encryption at rest does not use a customer-managed key

Description

Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.

Fix - Buildtime

Terraform

  • Resource: azurerm_kusto_cluster, azurerm_kusto_cluster_customer_managed_key
  • Argument: cluster_id (of azurerm_kusto_cluster_customer_managed_key )
resource "azurerm_kusto_cluster" "cluster_ok" {
  name                = "kustocluster"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name

  sku {
    name     = "Standard_D13_v2"
    capacity = 2
  }

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_kusto_cluster_customer_managed_key" "example" {
  cluster_id   = azurerm_kusto_cluster.cluster_ok.id
  key_vault_id = azurerm_key_vault.example.id
  key_name     = azurerm_key_vault_key.example.name
  key_version  = azurerm_key_vault_key.example.version
}