rules/findings/azure/databases/azure_database_mysql/azure-mysql-lack-cmk-encryption.json
|
{
"args": [], "provider": "Azure", "serviceType": "Database for MySQL", "serviceName": "Databases", "displayName": "Ensure Azure Database for MySQL uses Customer Managed Keys for Encryption at Rest", "description": "Enable sensitive data encryption at rest using Customer Managed Keys (CMK) rather than Microsoft Managed keys (MMK).", "rationale": "By default, data in Azure Database for MySQL is encrypted using Microsoft Service- Managed Keys (MMK) which constitutes an implied trust. If an organization wishes to control and manage encryption keys, however, customer-managed keys (CMK) can be supplied. The provided key is used to protect and control access to the key that encrypts the data. You can also choose to automatically update the key version used for Azure Database for MySQL encryption whenever a new version is available in the associated Key Vault.<br/><br/>NOTE: This is primarily recommended where control of encryption keys is specified by compliance or security framework requirements. In many circumstances, Microsoft Managed Key encryption is an acceptable method of accomplishing encryption at rest.", "impact": "If the key expires by setting the 'activation date' and 'expiration date', the user must rotate the key manually.<br/><br/>Using Customer Managed Keys may also incur additional man-hour requirements to create, store, manage, and protect the keys as needed.", "remediation": { "text": " ##### Remediate from Azure Portal 1. From Azure Database for MySQL select the server you wish to audit. 2. In the left column expand > Security. 3. Select Data Encryption. 4. Select Customer-managed key. 5. In the window that opens, use a User assigned managed identity by either creating or selecting one. 6. Choose a key selection method. For Enter a key identifier, enter the for URL for the key in Azure Key vault. For Select a key, navigate through the menu and choose the location of your key store by subscription, and whether it is a key vault or managed HSM. 7. Once a key is chosen, select Save. Verify on the next window that your changes have taken effect. ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/mysql/flexible-server/security-customer-managed-key" ], "compliance": [ { "name": "CIS Microsoft Azure Database Services", "version": "2.0.0", "reference": "5.1", "profile": [ "Level 2" ] } ], "level": "medium", "tags": [], "rule": { "path": "az_mysql_servers", "subPath": null, "selectCondition": {}, "query": [ { "filter": [ { "conditions": [ [ "encryption.type", "eq", "AzureKeyVault" ] ] } ] } ], "shouldExist": "true", "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "id", "name", "location", "encryption" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure Azure Database for MySQL uses Customer Managed Keys for {name}", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure_mysql_lacks_customer_managed_key", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_mysql_001" } |