Skip to content
Nuclei Templates

Azure Storage Infrastructure Encryption Not Enabled

ID: azure-storage-encryption-missing

Severity: high

Author: princechaddha

Tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config

Description

Section titled “Description”

Ensure that Infrastructure Encryption feature is enabled for your Azure Storage accounts in order to use encryption at the hardware level on top of the default software encryption provided by Microsoft Azure cloud.

YAML Source

Section titled “YAML Source”
id: azure-storage-encryption-missing
info:
  name: Azure Storage Infrastructure Encryption Not Enabled
  author: princechaddha
  severity: high
  description: |
    Ensure that Infrastructure Encryption feature is enabled for your Azure Storage accounts in order to use encryption at the hardware level on top of the default software encryption provided by Microsoft Azure cloud.
  impact: |
    Without Infrastructure Encryption, your data may be exposed to higher risks, as it lacks the additional hardware level security layer which complements the default software-based encryption.
  remediation: |
    Enable Infrastructure Encryption on your Azure Storage accounts to ensure data is encrypted at both software and hardware levels, enhancing the security posture.
  reference:
    - https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
  tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config


flow: |
  code(1);
  for (let StorageData of iterate(template.storageList)) {
    set("name", StorageData);
    code(2);
  }


self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az storage account list --query '[*].name'


    extractors:
      - type: json
        name: storageList
        internal: true
        json:
          - '.[]'


  - engine:
      - sh
      - bash
    source: |
      az storage account show --name "$name" --query '{"requireInfrastructureEncryption":encryption.requireInfrastructureEncryption}'


    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"requireInfrastructureEncryption": null'


    extractors:
      - type: dsl
        dsl:
          - 'name + " does not have Infrastructure Encryption enabled"'
# digest: 4a0a00473045022058e83abcaee7c75c16e574bce46a0e0f3517d6c37faca718c588f621ff9d5af6022100a1cf12fcb22c57549b477b80a782d54d135c0e2c3ff40c91ed8a5c4ebc6bea65:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/azure/storageaccounts/azure-storage-encryption-missing.yaml"

View on Github