Storage Account name does not follow naming rules
Description
By default, all data at rest in an Azure Cognitive Services account is encrypted using Microsoft Managed Keys. It is recommended to use Customer Managed Keys to encrypt data in Azure Cognitive Services accounts for better control of the data access.
Code Example
go
{
"data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "examplekv"
location = "location"
resource_group_name = "group"
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
purge_protection_enabled = true
}
resource "azurerm_key_vault_key" "example" {
name = "tfex-key"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
}
resource "azurerm_cognitive_account" "cognitive_account_good" {
name = "example-account"
resource_group_name = "group"
location = "location"
kind = "Face"
sku_name = "E0"
}
resource "azurerm_cognitive_account_customer_managed_key" "good_cmk" {
cognitive_account_id = azurerm_storage_account.cognitive_account_good.id
key_vault_id = azurerm_key_vault.example.id
key_name = azurerm_key_vault_key.example.name
}
",
}Remediation
Terraform
- Resource: azurerm_cognitive_account, azurerm_cognitive_account_customer_managed_key, azurerm_key_vault, azurerm_key_vault_key
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0554 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_43 |