Detections
Analytics

Ensure Customer Managed Key (CMK) is configured for Azure Healthcare Service

MEDIUM

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

At this time, the console UI does not have remediation steps available. For possible CLI remediation, see the product documentation (below) or use Terraform. Please also note that the encryption methodology cannot be changed for an existing resource, a new one will be created by using Terraform.

In Terraform -

  1. In the azurerm_healthcare_service resource, set cosmosdb_key_vault_key_versionless_id to a valid key ID.

References:
https://learn.microsoft.com/en-us/azure/healthcare-apis/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/healthcare_service#cosmosdb_key_vault_key_versionless_id

Policy Details

Rule Reference ID: AC_AZURE_0220
CSP: Azure
Remediation Available: Yes
Domain: Infrastructure Security
Resource: azurerm_healthcare_service
Resource Category: Analytics
Resource Type: HealthCare Service

Frameworks