Skip to main content

πŸ“ Azure Storage Account With Critical Data is not encrypted with customer managed key 🟒

  • Contextual name: πŸ“ Critical Data is not encrypted with customer managed key 🟒
  • ID: /ce/ca/azure/storage/critical-data-encryption-with-cmk
  • Located in: πŸ“ Azure Storage

Flags​

Our Metadata​

  • Policy Type: BEST_PRACTICE
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-aef11ebd1

Description​

Open File

Description​

Enable sensitive data encryption at rest using Customer Managed Keys (CMK) rather than Microsoft Managed keys.

Rationale​

By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. If you want to control and manage this encryption key yourself, however, you can specify a customer-managed key. That key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.

While it is possible to automate the assessment of this recommendation, the assessment status for this recommendation remains 'Manual.' This is because the recommendation pertains to storage accounts that store critical data and is therefore not applicable to all storage accounts.

Impact​

If the key expires by setting the activation date and expiration date, the user must rotate the key manually.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to Storage Accounts.
  2. For each storage account, under Security + networking, go to Encryption.
  3. Set Encryption type to Customer-managed keys.
  4. Select an encryption key or enter a key URI.
  5. Click Save.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52c appropriate encryption, cleansing and auditing of devices;99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2122
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 3.9 Ensure storage for critical data are encrypted with Customer Managed Key - Level 2 (Automated)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 3.9 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys - Level 2 (Manual)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) - Level 2 (Manual)1
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption42
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2526
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1911
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1724
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.2 Key management911
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1528
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1631
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3032
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31625
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.712
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.13
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.813
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-11 Protects Encryption Keys69