Skip to content
Nuclei Templates

Azure SQL MI TDE Not Using Customer-Managed Keys

ID: azure-sql-mi-tde-cmk-not-enabled

Severity: medium

Author: princechaddha

Tags: cloud,devops,azure,microsoft,sql-managed-instance,azure-cloud-config

Description

Section titled “Description”

Ensure that Transparent Data Encryption (TDE) with Customer-Managed Keys (CMKs) is enabled for your Microsoft Azure SQL managed instances. The TDE protector configured for your Azure SQL managed instances must be encrypted with a Customer-Managed Key in order to protect your managed SQL databases with a key from your own Azure key vault. This enables you to have full control over the encryption and decryption process and meet strict compliance requirements.

YAML Source

Section titled “YAML Source”
id: azure-sql-mi-tde-cmk-not-enabled
info:
  name: Azure SQL MI TDE Not Using Customer-Managed Keys
  author: princechaddha
  severity: medium
  description: |
    Ensure that Transparent Data Encryption (TDE) with Customer-Managed Keys (CMKs) is enabled for your Microsoft Azure SQL managed instances. The TDE protector configured for your Azure SQL managed instances must be encrypted with a Customer-Managed Key in order to protect your managed SQL databases with a key from your own Azure key vault. This enables you to have full control over the encryption and decryption process and meet strict compliance requirements.
  impact: |
    Not using Customer-Managed Keys for Transparent Data Encryption can compromise data security by relying on less controlled service-managed keys and potentially fail to meet compliance requirements.
  remediation: |
    Configure Transparent Data Encryption to use Customer-Managed Keys by setting the TDE protector to use a key from your Azure key vault for your SQL managed instances.
  reference:
    - https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview
  tags: cloud,devops,azure,microsoft,sql-managed-instance,azure-cloud-config


flow: |
  code(1);
  for (let SQLMI of iterate(template.sqlManagedInstanceList)) {
    set("ids", SQLMI);
    code(2);
  }


self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az sql mi list --query '[*].{"id":id}'


    extractors:
      - type: json
        name: sqlManagedInstanceList
        internal: true
        json:
          - '.[]'


  - engine:
      - sh
      - bash
    source: |
      az sql mi tde-key show --ids "$ids" --query 'serverKeyType'


    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"ServiceManaged"'


    extractors:
      - type: dsl
        dsl:
          - 'ids + " is using a service-managed key for TDE, not a CMK"'
# digest: 490a00463044022038d91d0a95fa1355a1c032c403dae82aad4c38de8f7949e96be2840be0b479f202206988d3179e518607544a93433cd0606580437539ca57593318edb506b505cc0c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/azure/sql/azure-sql-mi-tde-cmk-not-enabled.yaml"

View on Github