feat(query): new query for terraform/azure that ensures that critical data is encrypted with CMK for storage_account #7756
+193
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… is encrypted with cmk" This reverts commit d41459d.
…ypted with CMK for storage_account
github-actions
bot
added
feature
|
KICS version: v2.1.13
|
…is_encrypted_with_cmk
…with_cmk' of https://github.com/Checkmarx/kics into AST-106783-2_1_1_2_1_ensure_critical_data_is_encrypted_with_cmk
…is_encrypted_with_cmk
…with_cmk' of https://github.com/Checkmarx/kics into AST-106783-2_1_1_2_1_ensure_critical_data_is_encrypted_with_cmk
…is_encrypted_with_cmk
…is_encrypted_with_cmk
…with_cmk' of https://github.com/Checkmarx/kics into AST-106783-2_1_1_2_1_ensure_critical_data_is_encrypted_with_cmk
…is_encrypted_with_cmk
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reason for Proposed Changes
azurerm_storage_accountfor Terraform/Azure is being encrypted with Customer Managed Keys (CMK).Proposed Changes
azurerm_storage_accountis encrypted with Customer Managed Keys (CMK).customer_managed_keyusing the resourceazurerm_storage_accountthat are:azurerm_storage_accountwith the fieldkey_vault_key_iddefined with the ID of the Key Vault Key inside thecustomer_managed_keyblock.azurerm_storage_account_customer_managed_keyresource and reference anazurerm_storage_accountusing thestorage_account_idrequired field.get_restakes all the resources as an argument, and handles the following four positive cases:azurerm_storage_accountwith acustomer_managed_keyblock defined, but with the field key_vault_key_id` defined within,azurerm_storage_accountwith the blockcustomer_managed_blocknot defined.azurerm_storage_account_customer_managed_blockreferencing a resource of typeazurerm_storage_accountthrough the fieldstorage_account_idincorrectly(with name that is different from the one on the resource of typeazurerm_storage_account).azurerm_storage_account_customer_managed_blockreferencing a resource of typeazurerm_storage_accountbut there is not resource of typeazurerm_storage_accountdefined on the template.azurerm_storage_accountwith the fieldkey_vault_key_iddefined within thecustomer_managed_keyblock or by being referenced by a resource of typeazurerm_storage_account_customer_managed_keyand, the only module that I found that is similar to the resources covered in this query, does not have any fieldkey_valt_key_idon is documentation and, the fields that can be the reason that a vulnerability is present on the module(key_vault_resource_id,key_name, etc...) are all required field thus, it does not make sense to handle the module on the same way we handled the possible vulnerable configurations on the resources mentioned above.I submit this contribution under the Apache-2.0 license.