Control: Azure Synapse workspaces should use customer-managed keys to encrypt data at rest
Description
Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.synapse_workspace_encryption_at_rest_using_cmkSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.synapse_workspace_encryption_at_rest_using_cmk --shareSQL
This control uses a named query:
select s.id as resource, case when encryption -> 'CmkKey' ->> 'name' is not null then 'ok' else 'alarm' end as status, case when encryption -> 'CmkKey' ->> 'name' is not null then s.title || ' encrypted with CMK.' else s.title || ' not encrypted with CMK.' end as reason , s.resource_group as resource_group , sub.display_name as subscriptionfrom azure_synapse_workspace as s, azure_subscription as subwhere sub.subscription_id = s.subscription_id;