Key vault key is not backed by HSM
Description
For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. Azure Key Vault uses nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys. You should be aware of the cost implications of using an HSM and whether this fits in with your security posture.
Code Example
go
resource "azurerm_key_vault_key" "generated" {
...
+ key_type = "RSA-HSM"
...
}Remediation
Terraform
- Resource: azurerm_key_vault_key
- Arguments: key_type - (Required) Specifies the Key Type to use for this Key Vault Key.
Possible values are EC (Elliptic Curve), EC-HSM, Oct (Octet), RSA and RSA-HSM. Changing this forces a new resource to be created.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0619 |
| Severity | LOW |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_112 |