Azure Service Bus Doesn't Use Customer-Managed Key Encryption
Description
Azure Service Bus is a cloud messaging service used to connect applications, services, and devices running on Azure with on-premises software. It facilitates asynchronous, decoupled communication among decoupled components in the cloud, on-premises, or in a hybrid solution.
This policy ensures that the Azure Service Bus data is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. Utilizing a CMK offers enhanced control and transparency over the key lifecycle, and ensures that you, as the customer, maintain control of the encryption keys.
Code Example
terraform
resource "azurerm_servicebus_namespace" "example" {
name = "example-namespace"
# ... other configurations ...
+ customer_managed_key {
+ key_vault_key_id = "azure key vault key id here"
}
# ... other configurations ...
}Remediation
Terraform
Resource:
- azurerm_servicebus_namespace
Arguments:
- customer_managed_key
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0708 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, |
| Checkov ID | CKV_AZURE_201 |