Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: Storage accounts should use Microsoft-managed key for encryption

Description

Use Microsoft-managed key to encrypt your storage account. Microsoft-managed key is the default and simplest option for encryption at rest.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.storage_account_encryption_at_rest_using_mmk

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.storage_account_encryption_at_rest_using_mmk --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when sa.encryption_key_source = 'Microsoft.Storage' then 'ok'
    else 'alarm'
  end as status,
  case
    when sa.encryption_key_source = 'Microsoft.Storage' then sa.name || ' encrypted with MMK.'
    else sa.name || ' not encrypted with MMK.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account sa
  left join azure_subscription as sub on sub.subscription_id = sa.subscription_id;

Tags

service = Azure/Storage