Azure OpenAI Encryption using Customer-Managed Keys Not Enabled
ID: azure-openai-cmk-not-enabled
Severity: high
Author: princechaddha
Tags: cloud,devops,azure,microsoft,openai,azure-cloud-config
Description
Section titled “Description”Ensure that your Microsoft Azure OpenAI service instances are using Customer-Managed Keys (CMKs) instead of Microsoft-managed encryption keys (i.e., default keys used by Microsoft Azure for encryption at rest) in order to have a more granular control over your Azure OpenAI data encryption and decryption process.
YAML Source
Section titled “YAML Source”id: azure-openai-cmk-not-enabledinfo: name: Azure OpenAI Encryption using Customer-Managed Keys Not Enabled author: princechaddha severity: high description: | Ensure that your Microsoft Azure OpenAI service instances are using Customer-Managed Keys (CMKs) instead of Microsoft-managed encryption keys (i.e., default keys used by Microsoft Azure for encryption at rest) in order to have a more granular control over your Azure OpenAI data encryption and decryption process. impact: | Not using Customer-Managed Keys (CMKs) for Azure OpenAI instances can limit your control over encryption keys and potentially expose sensitive data to higher risks. remediation: | Configure your Azure OpenAI instances to use Customer-Managed Keys by setting up encryption key attributes in the Azure Key Vault and then linking them to your OpenAI service instances. reference: - https://docs.microsoft.com/en-us/azure/cognitive-services/encryption-key-management tags: cloud,devops,azure,microsoft,openai,azure-cloud-config
flow: | code(1); for (let ServiceData of iterate(template.serviceList)) { ServiceData = JSON.parse(ServiceData); set("name", ServiceData.Name); set("resourceGroup", ServiceData.ResourceGroup); code(2); }
self-contained: truecode: - engine: - sh - bash source: | az cognitiveservices account list --output json --query '[?(kind=="OpenAI")].{"Name":name,"ResourceGroup":resourceGroup}'
extractors: - type: json name: serviceList internal: true json: - '.[]'
- engine: - sh - bash source: | az cognitiveservices account show --name "$name" --resource-group "$resourceGroup" --query '{"encryptionKey":properties.encryption.keyVaultProperties.keyName}'
matchers-condition: and matchers: - type: word words: - 'encryptionKey' - 'null' condition: and
extractors: - type: dsl dsl: - '"$name in $resourceGroup does not use CMK"'# digest: 4a0a0047304502202d371c0b11e99b4639048d8838040f11717757a572237352dcc017df1fd69e630221008306f773a98c3b399126912a7b9338954bb249d368db8d7922f762bb4ef4632b:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/aiservices/azure-openai-cmk-not-enabled.yaml"