Use the Knowledge Base AI to help improve your Cloud Posture

Web Tier Customer-Managed Key In Use

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: KeyVault-010

Ensure that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure web tier in order to meet cloud security and compliance requirements. This conformity rule assumes that all the Azure cloud resources available in your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the tag set defined for your Azure web tier must be configured within the rule settings, on the Cloud Conformity dashboard.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.


When you use your own Azure Key Vault Customer-Managed Key to protect the data within your cloud web tier, you gain full control over who can use this key to access the web data, implementing the principle of least privilege on the encryption key ownership and usage. Cloud Conformity strongly recommends creating and configuring at least one Customer-Managed Key (CMK)/Bring Your Own Key (BYOK) for your Azure cloud web tier

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in this conformity rule with your own tag name and value created for the web tier.


To determine if a web-tier Key Vault Customer Master Key exists in your Microsoft Azure cloud account, perform the following actions:

Using Azure Portal

01 Sign in to your Cloud Conformity console, access Web Tier Customer-Managed Key In Use conformity rule settings and identify the tag set defined for Azure resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to Azure Management Portal.

03 Navigate to All resources blade at to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

06 Click on the name of the Azure Key Vault that you want to examine.

07 In the navigation panel, under Settings, select Keys, to access the Customer-Managed Keys (CMKs) deployed within the selected vault.

08 Choose the active CMK that you want to examine, then click on the current (latest) version of the key, to access the key configuration details.

09 On the selected key configuration page, click on the Tags tab and check the tag set created for the selected CMK. If the tag set does not match the one identified at step no. 1 or the key does not have any tags defined, the selected Customer Master Key (CMK) is not a web-tier resource.

10 Repeat step no. 8 and 9 for each CMK deployed in the selected Azure Key Vault.

11 Repeat steps no. 6 – 10 for each Key Vault available in the selected subscription. If none of the verified keys have the required web-tier tags, there is no Azure Customer Master Key (CMK) created and configured for your web tier, within the selected Azure subscription.

12 Repeat steps no. 4 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity console, access Web Tier Customer-Managed Key In Use conformity rule settings and identify the tag set defined for Azure resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vault instances available in the current Azure subscription:

az keyvault list
	--query '[*].name'

03 The command output should return the requested Azure resource identifiers (names):


04 Run keyvault key list command (Windows/macOS/Linux) using the name of the Azure Key Vault instance that you want to examine as identifier parameter and custom query filters to list the IDs of the Customer Master Keys (CMKs) available in the selected vault:

az keyvault key list
	--vault-name "cc-main-key-vault"
	--query '[?(attributes.enabled==`true`)].kid'

05 The command output should return the requested CMK identifiers (IDs):


06 Run keyvault key show command (Windows/macOS/Linux) using the ID of the Azure Customer Master Key that you want to examine as identifier parameter and custom query filters to describe the tag set(s) defined for the selected Azure resource:

az keyvault key show
	--id ""
	--query 'tags'

07 The command output should return an object that contains the tag set(s) configured for the selected CMK:

  "Environment": "Production"

Check the tags object returned by the keyvault key show command output. If none of the tag sets returned by the command output match the tags identified at step no. 1 or the verified key does not have any tags and an empty object is returned (i.e. {}), the selected Customer Master Key (CMK) is not a web-tier resource.

08 Repeat step no. 6 and 7 for each CMK created within the selected Azure Key Vault.

09 Repeat steps no. 4 – 8 for each Key Vault available in the selected subscription. If none of the verified keys have necessary web-tier tags, there is no Azure Customer Master Key (CMK) created and configured for your web tier, within the selected Azure subscription.

10 Repeat steps no. 2 – 9 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To create and configure a dedicated Customer-Managed Key (CMK) for the Azure cloud resources provisioned within your web tier, perform the following actions:

Using Azure Portal

01 Sign in to your Cloud Conformity console, access Web Tier Customer-Managed Key In Use conformity rule settings and copy the tag set defined for the Azure resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to Azure Management Portal.

03 Navigate to All resources blade at to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Key vault to list all Key Vault instances available in the selected subscription.

06 Click on the name of the Azure Key Vault that you want to access.

07 In the navigation panel, under Settings, select Keys, then click on the Generate/Import button from the dashboard top menu to initiate the CMK setup process.

08 On the Create a key page, perform the following operations:

  1. Select Generate from the Options dropdown list to generate a new key.
  2. In the Name box, provide a unique name for your new CMK.
  3. Select RSA from the Key Type and 2048 from the RSA Key Size.
  4. Set an activation and/or expiration date for the resource using the Set activation date and Set expiration date controls.
  5. Select Yes for Enabled to activate the key after creation.
  6. And click Create to generate your new Customer-Managed Key (CMK).

09 Select the newly created CMK, then click on the current version of the key to access the resource latest configuration.

10 On the selected key configuration page, click on the Tags tab and use the Tag Name and Tag Value fields to create tags that will help organize the identity of the CMK. Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier cloud resources, copied at step no. 1. Click Ok to apply the tag set.

11 If required, repeat steps no. 4 – 10 to create new, dedicated web-tier Customer-Managed Keys (CMKs) for other subscriptions available in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity console, access Web Tier Customer-Managed Key In Use conformity rule settings and copy the tag set defined for the Azure resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run keyvault key create command (Windows/macOS/Linux) to create the new Customer-Managed Key (CMK)/Bring Your Own Key (BYOK) required by the Microsoft Azure cloud resources provisioned inside your web tier, in the current subscription. Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name (web_tier_tag) and the tag value (web_tier_tag_value) match the tag set used to organize your web-tier Azure resources, copied at step no. 1:

az keyvault key create
	--name cc-web-tier-cmk
	--vault-name cc-main-key-vault
	--kty RSA
	--size 2048
	--ops decrypt encrypt sign unwrapKey verify wrapKey
	--expires "2020-12-16T12:00:00Z"
	--protection software
	--disabled false
	--tags web_tier_tag=web_tier_tag_value

03 The command output should return the configuration metadata for the new web-tier key:

  "attributes": {
    "created": "2019-12-16T19:41:02+00:00",
    "enabled": true,
    "expires": "2020-12-16T12:00:00+00:00",
    "notBefore": null,
    "recoveryLevel": "Purgeable",
    "updated": "2019-12-16T19:41:02+00:00"
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
    "kid": "",
    "kty": "RSA",
    "n": "...",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  "managed": null,
  "tags": {
    "web_tier_tag": "web_tier_tag_value"

04 If required, repeat step no. 2 and 3 to create new, dedicated web-tier Customer-Managed Keys (CMKs) for other subscriptions available in your Microsoft Azure cloud account.


Publication date Aug 31, 2020