Using unencrypted cloud storages can lead to data exposure. In the case that adversaries gain physical access to the storage medium they are able to access unencrypted information.

Ask Yourself Whether

• The service contains sensitive information that could cause harm when leaked.
• There are compliance requirements for the service to store data encrypted.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to encrypt cloud storages that contain sensitive information.

Sensitive Code Example

For azurerm_data_lake_store:

resource "azurerm_data_lake_store" "store" {
  name             = "store"
  encryption_state = "Disabled"  # Sensitive
}

Compliant Solution

For azurerm_data_lake_store:

resource "azurerm_data_lake_store" "store" {
  name             = "store"
  encryption_state = "Enabled"
  encryption_type  = "ServiceManaged"
}

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2021 Category A4 - Insecure Design
• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• Data encryption in Amazon EFS
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• MITRE, CWE-311 - Missing Encryption of Sensitive Data