Customer-Managed Key Not Tagged in Azure App Tier
ID: azure-app-tier-cmk-untagged
Severity: high
Author: princechaddha
Tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
Description
Section titled “Description”Ensure that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure application tier to meet cloud security and compliance requirements. The conformity rule assumes all Azure cloud resources in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>. The tag set for your Azure application tier must be pre-configured in the Cloud Conformity console.
YAML Source
Section titled “YAML Source”id: azure-app-tier-cmk-untaggedinfo: name: Customer-Managed Key Not Tagged in Azure App Tier author: princechaddha severity: high description: | Ensure that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure application tier to meet cloud security and compliance requirements. The conformity rule assumes all Azure cloud resources in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>. The tag set for your Azure application tier must be pre-configured in the Cloud Conformity console. impact: | Not using properly tagged CMKs may lead to non-compliance with security standards and make cloud resources difficult to manage and audit. remediation: | Ensure all Customer-Managed Keys used in the application tier are properly tagged according to organizational policies. Update the key's metadata through the Azure portal or Azure CLI. reference: - https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys-details tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: | code(1); for (let vaultName of iterate(template.vaultNames)) { set("vaultName", vaultName) code(2); for (let keyId of iterate(template.keyIds)) { set("keyId", keyId) code(3) } }
self-contained: truecode: - engine: - sh - bash source: | az keyvault list --query '[*].name' --output json
extractors: - type: json name: vaultNames internal: true json: - '.[]'
- engine: - sh - bash source: | az keyvault key list --vault-name $vaultName --query '[?(attributes.enabled==`true`)].kid' --output json
extractors: - type: json name: keyIds internal: true json: - '.[]'
- engine: - sh - bash source: | az keyvault key show --id $keyId --query 'tags' --output json
matchers: - type: word words: - '{}'
extractors: - type: dsl dsl: - 'vaultName + " CMK " + keyId + " is not properly tagged as part of the app-tier resource"'# digest: 490a004630440220569cd95798e47c183ab44f75a846703ea0c3e9a6f9295809da50faa4bf400302022061aa5ba50dfd36eb233af955be3f2eb315207a2094c03cb7dac560acfd1a8c6b:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/azure/keyvault/azure-app-tier-cmk-untagged.yaml"