Control: Service Bus Premium namespaces should use a customer-managed key for encryption
Description
Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.servicebus_premium_namespace_cmk_encryptedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.servicebus_premium_namespace_cmk_encrypted --shareSQL
This control uses a named query:
select a.id as resource, case when sku_tier <> 'Premium' then 'skip' when encryption -> 'keySource' = '"Microsoft.KeyVault"' then 'ok' else 'alarm' end as status, case when sku_tier <> 'Premium' then a.name || ' is of ' || sku_tier || ' tier.' when encryption -> 'keySource' = '"Microsoft.KeyVault"' then a.name || ' encrypted using CMK.' else a.name || ' not encrypted using CMK.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_servicebus_namespace a, azure_subscription sub;