Control: Event Hub namespaces should use a customer-managed key for encryption
Description
Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.eventhub_namespace_cmk_encryption_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.eventhub_namespace_cmk_encryption_enabled --shareSQL
This control uses a named query:
select a.id as resource, case when encryption ->> 'keySource' = 'Microsoft.KeyVault' then 'ok' else 'alarm' end as status, case when encryption ->> 'keySource' = 'Microsoft.KeyVault' then a.name || ' CMK encryption enabled.' else a.name || ' CMK encryption disabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_eventhub_namespace as a, azure_subscription as subwhere sub.subscription_id = a.subscription_id;