Detections
Analytics

Ensure customer-managed keys to encrypt data at rest for Azure CosmosDB Account

MEDIUM

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

Once encryption methodology has been chosen, it cannot be changed. A new resource can be created using a customer-managed key for encryption by following the steps below. Changing the key_vault_key_id field in Terraform creates a new resource.

In Azure Console -

  1. Open the Azure Portal and go to Cosmos DB.
  2. Select Create and choose the engine-type.
  3. Configure as needed; on the Encryption section, choose Customer-managed key and enter the Key URI.

In Terraform -

  1. In the azurerm_cosmosdb_account resource, set key_vault_key_id to a valid key ID.

References:
https://learn.microsoft.com/en-us/azure/cosmos-db/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#key_vault_key_id

Policy Details

Rule Reference ID: AC_AZURE_0315
CSP: Azure
Remediation Available: Yes
Domain: Data Protection
Resource: azurerm_cosmosdb_account
Resource Category: Database
Resource Type: Cosmos DB Account

Frameworks