Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The PostgreSQL server resource in your Terraform configuration does not have infrastructure encryption enabled. This means data stored on Azure’s infrastructure is not encrypted at rest, increasing the risk of unauthorized data access.

Impact

Without infrastructure encryption, sensitive data could be exposed if Azure’s underlying storage is compromised or accessed by unauthorized parties. This can lead to data breaches, regulatory non-compliance, and loss of trust in your application or organization.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

The key vault key resource is missing an expiration date, meaning the cryptographic key will remain valid indefinitely. This increases the risk of the key being used longer than intended and makes key rotation harder to enforce.

Impact

Without an expiration date, old or potentially compromised keys may remain active and usable, increasing the risk of unauthorized data access or misuse. Attackers could exploit expired or stale keys to decrypt sensitive data or perform unauthorized actions, potentially leading to data breaches or regulatory non-compliance.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Data Lake Store resource in your Terraform configuration does not have encryption enabled. This means that data stored in Azure Data Lake is not being encrypted at rest, leaving sensitive information unprotected.

Impact

Without encryption, attackers or unauthorized users who gain access to the storage account could read sensitive data directly. This increases the risk of data breaches, regulatory non-compliance, and exposure of confidential information.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Automation account variables in Azure are being created without enabling encryption. This means sensitive values stored in these variables are left unprotected and can be accessed in plain text.

Impact

If these variables contain secrets or confidential information, attackers or unauthorized users could read them, potentially leading to data leaks, privilege escalation, or further compromise of Azure resources.

Key Management Errors

Property
Languagehcl
Severitymedium
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

The MySQL server resource in your Terraform configuration does not have infrastructure encryption enabled. This means data stored on the server is not fully protected at rest, increasing the risk of sensitive information being exposed.

Impact

If infrastructure encryption is not enabled, attackers who gain access to the underlying storage could potentially read unencrypted data, including sensitive customer or business information. This can lead to data breaches, regulatory violations, and loss of trust.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The key vault keys in your Azure configuration are not set to be backed by a Hardware Security Module (HSM). Without HSM backing, cryptographic keys are stored in software, which offers less protection against theft or compromise.

Impact

If keys are not HSM-backed, attackers who gain access to the key vault or underlying infrastructure may be able to extract sensitive cryptographic keys more easily. This can lead to unauthorized data decryption, data breaches, or loss of control over protected resources.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Azure Data Explorer (Kusto) cluster is not configured with double encryption enabled, which means data at rest is only protected by a single layer of encryption. This increases the risk of unauthorized access if the primary encryption layer is compromised.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The AKS cluster is not configured to use a disk encryption set, meaning the data stored on managed disks is not encrypted with a customer-managed key. This leaves sensitive data at rest potentially unprotected.

Impact

Without disk encryption, attackers or unauthorized users who gain access to the underlying storage could read sensitive information from disks. This increases the risk of data exposure and may violate compliance requirements for data protection.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Vertex AI dataset resource is not configured to use a Customer Managed Key (CMK) for encryption. This means data is not encrypted with a key you control, reducing your ability to manage and audit access.

Impact

Without a CMK, sensitive data in Vertex AI datasets relies on default encryption, which limits your control over key rotation and access management. If compromised, attackers may gain unauthorized access to unencrypted or weakly protected data, exposing sensitive information and increasing compliance risks.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The BigQuery table resource is not configured to use a customer-managed encryption key (CMEK). This means data stored in the table relies on default Google-managed encryption rather than a key you control.

Impact

Without CMEK, you lose granular control over data encryption and key rotation. If an attacker gains access to your cloud account or if Google is compelled to disclose data, sensitive information in BigQuery tables could be exposed without your oversight or ability to revoke access.