Skip to content

feat(query): implements "Beta - Storage Account Using Unsafe SMB Channel Encryption" #7830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat(query): implements "Beta - Storage Account Using Unsafe SMB Channel Encryption" #7830

wants to merge 4 commits into from

Conversation

@cx-andre-pereira
Copy link
Contributor

@cx-andre-pereira cx-andre-pereira commented Nov 6, 2025
edited
Loading

Reason for Proposed Changes

  • Currently there is no query to ensure that resources of type "azurerm_storage_account" has the "share_properties.smb.channel_encryption_type" array set to ["AES-256-GCM"].

  • Quoting CIS_Microsoft_Azure_Foundations_Benchmark_v5.0.0 page 482:

    • "Implement SMB channel encryption with AES-256-GCM for SMB file shares to ensure data confidentiality and integrity in transit. This method offers strong protection against eavesdropping and man-in-the-middle attacks, safeguarding sensitive information.."
    • "AES-256-GCM encryption enhances the security of data transmitted over SMB channels by safeguarding it from unauthorized interception and tampering."

  • In the CIS Benchmark it is also stated that, by default, "the following SMB channel encryption algorithms are allowed: AES-128-CCM, AES-128-GCM, AES-256-GCM". (all "Possible values" from the terraform documentation).

Proposed Changes

  • Implemented the missing query.

  • The query will flag a "azurerm_storage_account" resource given any one of these 6 scenarios :

    • Undefined "share_properties" block
    • Undefined "share_properties.smb" block
    • Undefined "share_properties.smb.versions" field
    • Having its "share_properties.smb.channel_encryption_type" field set to []
    • Having its "share_properties.smb.channel_encryption_type" field not include the "AES-256-GCM" value
    • Having its "share_properties.smb.channel_encryption_type" include the "AES-256-GCM" value together with other, weaker, AES versions.

  • Note the "issueType" will be "MissingAttribute" for the first 3 scenarios and "IncorrectValue" for the last 3.

I submit this contribution under the Apache-2.0 license.

@cx-andre-pereira cx-andre-pereira changed the title feat(query): "Beta - Storage Account Using Unsafe SMB Channel Encryption" feat(query): implements "Beta - Storage Account Using Unsafe SMB Channel Encryption" Nov 6, 2025
@github-actions github-actions bot added the feature New feature label Nov 6, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025

kics-logo

KICS version: v2.1.13

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

@github-actions github-actions bot added query New query feature terraform Terraform query azure PR related with Azure Cloud labels Nov 6, 2025
@cx-andre-pereira cx-andre-pereira marked this pull request as ready for review November 6, 2025 16:44
@cx-andre-pereira cx-andre-pereira requested a review from a team as a code owner November 6, 2025 16:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

azure PR related with Azure Cloud feature New feature query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cx-andre-pereira