Database Tier Customer-Managed Key In Use

Risk Level: High (not acceptable risk)

Rule ID: KeyVault-009

Ensure that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure database tier in order to meet cloud security and compliance requirements within your organization. This conformity rule assumes that all the Azure cloud resources available in your database tier are tagged with <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> represents the tag name and <data_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the tag set defined for your Azure database tier must be configured in the rule settings, on the Cloud Conformity console.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When you use your own Azure Customer-Managed Key to protect the databases deployed within your database tier, you gain full control over who can use this key to access the tier data, implementing the principle of least privilege on the encryption key ownership and usage. Cloud Conformity strongly recommends creating and configuring at least one Customer-Managed Key (CMK)/Bring Your Own Key (BYOK) for your Azure cloud database tier

Note: Make sure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in this conformity rule with your own tag name and value created for the database tier.

Audit

To determine if a database-tier Customer Master Key exists in your Microsoft Azure cloud account, perform the following actions:

Using Azure Portal

01 Sign in to your Cloud Conformity console, access Database Tier Customer-Managed Key In Use conformity rule settings and identify the tag set defined for the Azure cloud resources provisioned in your database tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to Azure Management Portal.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

06 Click on the name of the Azure Key Vault that you want to examine.

07 In the navigation panel, under Settings, select Keys, to access the Customer-Managed Keys (CMKs) deployed within the selected vault.

08 Choose the active CMK that you want to examine, then click on the current (latest) version of the key, to access the key configuration details.

09 On the selected key configuration page, choose the Tags tab and check the tag set created for the selected CMK. If the tag set does not match the one identified at step no. 1 or the key does not have any tags defined, the selected Customer Master Key (CMK) is not a database-tier cloud resource.

10 Repeat step no. 8 and 9 for each CMK deployed in the selected Azure Key Vault.

11 Repeat steps no. 6 – 10 for each Key Vault available in the selected subscription. If none of the verified keys have the necessary database-tier tags, there is no Azure Customer Master Key (CMK) created and configured for your database tier, in the selected Azure subscription.

12 Repeat steps no. 4 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

02 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vault instances available in the current Azure subscription:

az keyvault list
	--query '[*].name'

03 The command output should return the requested Azure resource names:

[
  "cc-production-vault",
  "cc-user-access-vault"
]

04 Run keyvault key list command (Windows/macOS/Linux) using the name of the Azure Key Vault instance that you want to examine as identifier parameter and custom query filters to list the IDs of the Customer Master Keys (CMKs) available in the selected vault:

az keyvault key list
	--vault-name "cc-production-vault"
	--query '[?(attributes.enabled==`true`)].kid'

05 The command output should return the requested CMK identifiers (IDs):

[
  "https://cc-production-vault.vault.azure.net/keys/cc-sql-managed-cmk",
  "https://cc-production-vault.vault.azure.net/keys/cc-app-managed-cmk"
]

06 Run keyvault key show command (Windows/macOS/Linux) using the ID of the Azure Customer Master Key that you want to examine as identifier parameter and custom query filters to describe the tag set(s) defined for the selected Azure resource:

az keyvault key show
	--id "https://cc-production-vault.vault.azure.net/keys/cc-sql-managed-cmk"
	--query 'tags'

07 The command output should return an object that contains the tag set(s) configured for the selected CMK:

{
  "Owner": "AzSQLManager"
}

Check the tags object returned by the keyvault key show command output. If none of the tag sets returned by the command output match the tags identified at step no. 1 or the verified key does not have any tags and an empty object is returned instead (i.e. {}), the selected Customer Master Key (CMK) is not a database-tier cloud resource.

08 Repeat step no. 6 and 7 for each CMK created inside the selected Azure Key Vault.

09 Repeat steps no. 4 – 8 for each Key Vault available in the selected subscription. If none of the verified keys have the necessary database-tier tags, there is no Azure Customer Master Key (CMK) created and configured for your database tier, within the selected Azure subscription.

10 Repeat steps no. 2 – 9 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To create and configure a dedicated Customer-Managed Key (CMK) for the Azure cloud resources provisioned within your database tier, perform the following actions:

Using Azure Portal

01 Sign in to your Cloud Conformity console, access Database Tier Customer-Managed Key In Use conformity rule settings and copy the tag set defined for the cloud resources created inside your database tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to Azure Management Portal.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

06 Click on the name of the Azure Key Vault that you want to access.

07 In the navigation panel, under Settings, select Keys, then click on the Generate/Import button from the dashboard top menu to initiate the Customer-Managed Key setup process.

08 On the Create a key page, perform the following operations:

Select Generate from the Options dropdown list to generate a new key.
In the Name box, provide a unique name for your new CMK.
Select RSA from the Key Type and 2048 from the RSA Key Size.
Set an activation and/or expiration date for the resource using the Set activation date and Set expiration date controls.
Select Yes for Enabled to activate the key after creation.
And click Create to generate your new Customer-Managed Key (CMK).

09 Select the newly created CMK, then click on the current version of the key to access the resource latest configuration.

10 On the selected key configuration page, choose the Tags tab and use the Tag Name and Tag Value fields to create tags that will help organize the identity of the new CMK. Use the following format when you define your own tag set: <data_tier_tag>:<data_tier_tag_value> and make sure the tag name (<data_tier_tag>) and the tag value (<data_tier_tag_value>) match the tag set used to organize your database-tier cloud resources, copied at step no. 1. Click Ok to apply the tag set.

11 If required, repeat steps no. 4 – 10 to create new, dedicated database-tier Customer-Managed Keys (CMKs) for other subscriptions available in your Microsoft Azure cloud account.

Using Azure CLI

02 Run keyvault key create command (Windows/macOS/Linux) to create the new Customer-Managed Key (CMK)/Bring Your Own Key (BYOK) required by the Microsoft Azure cloud resources provisioned within your database tier, in the current Azure subscription. Use the following format when you define your own tag set: <data_tier_tag>:<data_tier_tag_value> and make sure the tag name (data_tier_tag) and the tag value (data_tier_tag_value) match the tag set used to organize your database-tier resources, copied at step no. 1:

az keyvault key create
	--name cc-database-tier-cmk
	--vault-name cc-production-vault
	--kty RSA
	--size 2048
	--ops decrypt encrypt sign unwrapKey verify wrapKey
	--expires "2020-12-18T20:00:00Z"
	--protection software
	--disabled false
	--tags data_tier_tag=data_tier_tag_value

03 The command output should return the configuration metadata for the new database-tier key:

{
  "attributes": {
    "created": "2019-12-18T20:00:00+00:00",
    "enabled": true,
    "expires": "2020-12-18T20:00:00+00:00",
    "notBefore": null,
    "recoveryLevel": "Purgeable",
    "updated": "2019-12-18T20:00:00+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "decrypt",
      "encrypt",
      "sign",
      "unwrapKey",
      "verify",
      "wrapKey"
    ],
    "kid": "https://cc-production-vault.vault.azure.net/keys/cc-database-tier-cmk/abcdabcdabcdabcdabcdabcdabcdabcd",
    "kty": "RSA",
    "n": "...",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "tags": {
    "data_tier_tag": "data_tier_tag_value"
  }
}

04 If required, repeat step no. 2 and 3 to create new, dedicated database-tier Customer-Managed Keys (CMKs) for other subscriptions available in your Microsoft Azure cloud account.

References

Azure Official Documentation
About Azure Key Vault
About keys, secrets, and certificates
Bring your own key (BYOK) details for Azure Information Protection

Azure Command Line Interface (CLI) Documentation
az keyvault list
az keyvault key list
az keyvault key show
az keyvault key create

Publication date Aug 31, 2020

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related KeyVault rules