v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
13Dashboards
1311Controls
430Queries
2Variables
GitHub

Control: 9.11 Ensure Azure Keyvaults are used to store secrets

Description

Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault.

App secrets control access to the application and thus need to be secured externally to the app configuration, storing the secrets externally and referencing them in the configuration also enables key rotation without having to redeploy the app service.

Remediation

From Console

It has 2 steps process

  1. Setup keyvault.
  2. Setup the app service to use keyvault.

For more information, refer guide for Key Vault references for App service and functions

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v130_9_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v130_9_11 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 9.11
cis_level = 2
cis_section_id = 9
cis_type = manual
cis_version = v1.3.0
plugin = azure
service = Azure/AppService