feat(query): new query for terraform/azure that ensures that critical data is encrypted with CMK for storage_account

[cx-ricardo-jesus]

Reason for Proposed Changes

• Currently, there is no query that checks if a resource of type azurerm_storage_account for Terraform/Azure is being encrypted with Customer Managed Keys (CMK).

Proposed Changes

• Created a new query called "Beta - Critical Data Is Encrypted With CMK" that checks if the resource azurerm_storage_account is encrypted with Customer Managed Keys (CMK).
• For this query, the CWE that seems the most appropriate is the 311.
• The severity that seemed the most appropriate was MEDIUM, since the majority of the queries that similarly handle encryption cases also have MEDIUM severity.
• After reading the documentation, it is stated that there is two ways of setting a customer_managed_key using the resource azurerm_storage_account that are:
  • having a resource of type azurerm_storage_account with the field key_vault_key_id defined with the ID of the Key Vault Key inside the customer_managed_key block.
  • using the azurerm_storage_account_customer_managed_key resource and reference an azurerm_storage_account using the storage_account_id required field.
• Regarding the implementation itself, the query only has one policy, which uses a helper function that checks all the possible cases and returns the values that will be presented in the results.
• The helper function get_res takes all the resources as an argument, and handles the following four positive cases:
  • resource of type azurerm_storage_account with a customer_managed_key block defined, but with the field key_vault_key_id` defined within,
  • resource of type azurerm_storage_account with the block customer_managed_block not defined.
  • resource of type azurerm_storage_account_customer_managed_block referencing a resource of type azurerm_storage_account through the field storage_account_id incorrectly(with name that is different from the one on the resource of type azurerm_storage_account).
  • resource of type azurerm_storage_account_customer_managed_block referencing a resource of type azurerm_storage_account but there is not resource of type azurerm_storage_account defined on the template.
• This query checks if the resource of type azurerm_storage_account with the field key_vault_key_id defined within the customer_managed_key block or by being referenced by a resource of type azurerm_storage_account_customer_managed_key and, the only module that I found that is similar to the resources covered in this query, does not have any field key_valt_key_id on is documentation and, the fields that can be the reason that a vulnerability is present on the module(key_vault_resource_id, key_name, etc...) are all required field thus, it does not make sense to handle the module on the same way we handled the possible vulnerable configurations on the resources mentioned above.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.13

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0