Skip to content

feat(query): implements "Beta - Storage Account With Shared Access Key" #7832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cx-andre-pereira merged 3 commits into from
Dec 9, 2025
Merged

feat(query): implements "Beta - Storage Account With Shared Access Key" #7832

cx-andre-pereira merged 3 commits into from
Dec 9, 2025

Conversation

@cx-andre-pereira
Copy link
Contributor

@cx-andre-pereira cx-andre-pereira commented Nov 6, 2025
edited
Loading

Reason for Proposed Changes

  • Currently there is no query to ensure that resources of type "azurerm_storage_account" set the "shared_access_key_enabled" field to false.

  • Quoting CIS_Microsoft_Azure_Foundations_Benchmark_v5.0.0 page 504: "Microsoft Entra ID provides superior security and ease of use compared to Shared Key and is recommended by Microsoft. To require clients to use Microsoft Entra ID for authorizing requests, you can disallow requests to the storage account that are authorized with Shared Key."

Proposed Changes

  • Implemented the missing query.
  • The query will flag any "azurerm_storage_account" resource that does not set the "shared_access_key_enabled" field or sets it to a value that is not false.

I submit this contribution under the Apache-2.0 license.

@github-actions github-actions bot added feature New feature query New query feature labels Nov 6, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025
edited
Loading

kics-logo

KICS version: v2.1.17

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

@github-actions github-actions bot added terraform Terraform query azure PR related with Azure Cloud labels Nov 7, 2025
@cx-andre-pereira cx-andre-pereira marked this pull request as ready for review November 7, 2025 11:25
@cx-andre-pereira cx-andre-pereira requested a review from a team as a code owner November 7, 2025 11:25
cx-eduardo-semanas
cx-eduardo-semanas previously approved these changes Nov 25, 2025
View reviewed changes
Copy link
Contributor

@cx-eduardo-semanas cx-eduardo-semanas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cx-andre-pereira
Merge branch 'master' into AST-116659_49_9.3.1.3_ensure_allow_storage…
0d29bb3 
…_account_key_access_for_azure_storage_accounts_is_disabled
cx-eduardo-semanas
cx-eduardo-semanas approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@cx-eduardo-semanas cx-eduardo-semanas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cx-andre-pereira cx-andre-pereira merged commit f625abb into master Dec 9, 2025
29 checks passed
@cx-andre-pereira cx-andre-pereira deleted the AST-116659_49_9.3.1.3_ensure_allow_storage_account_key_access_for_azure_storage_accounts_is_disabled branch December 9, 2025 09:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-eduardo-semanas cx-eduardo-semanas cx-eduardo-semanas approved these changes

Assignees

No one assigned

Labels

azure PR related with Azure Cloud feature New feature query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cx-andre-pereira @cx-eduardo-semanas