Ensure Cosmos DB accounts have customer-managed keys to encrypt data at rest

Error: Cosmos DB Accounts do not have customer-managed keys encrypting data at rest

Bridgecrew Policy ID: BC_AZR_GENERAL_21
Checkov Check ID: CKV_AZURE_100
Severity: LOW

Cosmos DB Accounts do not have customer-managed keys encrypting data at rest

Description

Data stored in Azure Cosmos account is automatically encrypted with keys managed by Microsoft (service-managed keys). Customer-managed keys (CMKs) give users total control over the keys used by Azure Cosmos DB to encrypt their data at rest. Built as an additional encryption layer on top of the Azure Cosmos DB default encryption at rest with service managed keys, it uses Azure Key Vault to store encryption keys and provides a way to implement double encryption.

Fix - Buildtime

Terraform

  • Resource: azurerm_cosmosdb_account
  • Argument: key_vault_key_id - (Optional) A versionless Key Vault Key ID for CMK encryption. Changing this forces a new resource to be created.
resource "azurerm_cosmosdb_account" "db" {
  name                = "tfex-cosmos-db-${random_integer.ri.result}"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  offer_type          = "Standard"
  kind                = "GlobalDocumentDB"

  enable_automatic_failover = true

  capabilities {
    name = "EnableAggregationPipeline"
  }

  capabilities {
    name = "mongoEnableDocLevelTTL"
  }

  capabilities {
    name = "MongoDBv3.4"
  }

  consistency_policy {
    consistency_level       = "BoundedStaleness"
    max_interval_in_seconds = 10
    max_staleness_prefix    = 200
  }

  geo_location {
    location          = var.failover_location
    failover_priority = 1
  }

  geo_location {
    location          = azurerm_resource_group.rg.location
    failover_priority = 0
  }
}

Did this page help you?