Control: 2.1.1.1.1 Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK)
Overview
Microsoft Managed Keys (MMK) (also known as Platform-managed keys (PMK)) provides a very low overhead method of encrypting data at rest and implementing encryption key management. Keys maintained in an MMK implementation are automatically managed by Azure and require no customer interaction.
The encryption of data at rest is a foundational component of data security. Data at rest without encryption is easily compromised through loss or theft. Encrypting data at rest introduces confidentiality to the data by obfuscating the data contents with a cipher algorithm and provides an authentication requirement through the use of cryptographic keys. MMK makes the encryption of data at rest very easy to implement and maintain.
Default Value
By default, Encryption type is set to Microsoft Managed Keys.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_2_1_1_1_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_2_1_1_1_1 --shareSQL
This control uses a named query:
select sa.id as resource, case when sa.encryption_key_source = 'Microsoft.Storage' then 'ok' else 'alarm' end as status, case when sa.encryption_key_source = 'Microsoft.Storage' then sa.name || ' encrypted with MMK.' else sa.name || ' not encrypted with MMK.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa, azure_subscription subwhere sub.subscription_id = sa.subscription_id;