Control: Storage accounts should use customer-managed key for encryption
Description
Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.storage_account_encryption_at_rest_using_cmkSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.storage_account_encryption_at_rest_using_cmk --shareSQL
This control uses a named query:
select sa.id as resource, case when sa.encryption_key_source = 'Microsoft.Storage' then 'alarm' else 'ok' end as status, case when sa.encryption_key_source = 'Microsoft.Storage' then sa.name || ' not encrypted with CMK.' else sa.name || ' encrypted with CMK.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa, azure_subscription subwhere sub.subscription_id = sa.subscription_id;