Control: 2.1.1.2.1 Ensure Critical Data is Encrypted with Customer Managed Keys (CMK)
Overview
Customer Managed Keys introduce additional depth to security by providing a means to manage access control for encryption keys. Where compliance and security frameworks indicate the need, and organizational capacity allows, sensitive data at rest can be encrypted using Customer Managed Keys (CMK) rather than Microsoft Managed keys.
By default in Azure, data at rest tends to be encrypted using Microsoft Managed Keys. If your organization wants to control and manage encryption keys for compliance and defense-in-depth, Customer Managed Keys can be established.
While it is possible to automate the assessment of this recommendation, the assessment status for this recommendation remains 'Manual' due to ideally limited scope. The scope of application - which workloads CMK is applied to - should be carefully considered to account for organizational capacity and targeted to workloads with specific need for CMK.
Default Value
By default, Encryption type is set to Microsoft Managed Keys.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_2_1_1_2_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_2_1_1_2_1 --shareSQL
This control uses a named query:
select sa.id as resource, case when sa.encryption_key_source = 'Microsoft.Storage' then 'alarm' else 'ok' end as status, case when sa.encryption_key_source = 'Microsoft.Storage' then sa.name || ' not encrypted with CMK.' else sa.name || ' encrypted with CMK.' end as reason , sa.resource_group as resource_group , sub.display_name as subscriptionfrom azure_storage_account sa, azure_subscription subwhere sub.subscription_id = sa.subscription_id;