Ensure Cosmos DB account is encrypted with customer-managed keys
Each Cosmos account is encrypted with service-managed keys (managed by Microsoft). Using customer-managed keys adds a second layer of encryption to your account.
Risk Level: Low
Cloud Entity: Azure Cosmos DB
CloudGuard Rule ID: D9.AZU.CRY.29
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CosmosDbAccount should not have keyVaultKeyUri isEmpty()
REMEDIATION
Important service-managed keys feature is currently available only for new Cosmos DB accounts.
From Portal
- Go to 'Azure Cosmos DB' and create a new Cosmos DB account.
- On account creation, go to 'Encryption' tab.
- Select 'Customer-managed key'.
- Fill the 'Key URI' field with the relevant Key URI.
From TF
Set the 'key_vault_key_id' argument to your key URI on deployment:
resource "azurerm_cosmosdb_account" "db" {
..
key_vault_key_id = "https://MY-VAULT.vault.azure.net/keys/MY-KEY"
..
}
Note: Adding / changing the 'key_vault_key_id' will result in new Cosmos DB account creation.
References
- https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#key_vault_key_id
Azure Cosmos DB
Azure Cosmos DB is a fully managed database service with turnkey global distribution and transparent multi-master replication. You can run globally distributed, low-latency operational and analytics workloads and AI on transactional data within your database.
Compliance Frameworks
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure HITRUST v9.5.0
- Azure ITSG-33
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago