Control: Storage account encryption scopes should use customer-managed keys to encrypt data at rest
Description
Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.storage_account_encryption_scopes_encrypted_at_rest_with_cmkSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.storage_account_encryption_scopes_encrypted_at_rest_with_cmk --shareSQL
This control uses a named query:
with storage_account_encryption_scope as( select e ->> 'Id' as id, e ->> 'Name' as name, e ->> 'Source' as source, subscription_id, _ctx, region, resource_group from azure_storage_account, jsonb_array_elements(encryption_scope) as e)select s.id as resource, case when source = 'Microsoft.Keyvault' then 'ok' else 'alarm' end as status, case when source = 'Microsoft.Keyvault' then s.name || ' uses customer-managed keys to encrypt data at rest.' else s.name || ' not uses customer-managed keys to encrypt data at rest.' end as reason , s.resource_group as resource_group , sub.display_name as subscriptionfrom storage_account_encryption_scope as s, azure_subscription as subwhere sub.subscription_id = s.subscription_id;