🛡️ Azure Storage Account With Critical Data is not encrypted with customer managed key🟢⚪

• Contextual name: 🛡️ Critical Data is not encrypted with customer managed key🟢⚪
• ID: /ce/ca/azure/storage/critical-data-encryption-with-cmk
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: BEST_PRACTICE
• Policy Categories: SECURITY

Similar Policies

• Cloud Conformity: Storage Account Encryption using Customer Managed Keys
• Internal: dec-x-aef11ebd

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-aef11ebd	1

Description

Open File

Description

Enable sensitive data encryption at rest using Customer Managed Keys (CMK) rather than Microsoft Managed keys.

Rationale

By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. If you want to control and manage this encryption key yourself, however, you can specify a customer-managed key. That key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.

While it is possible to automate the assessment of this recommendation, the assessment status for this recommendation remains 'Manual.' This is because the recommendation pertains to storage accounts that store critical data and is therefore not applicable to all storage accounts.

Impact

If the key expires by setting the activation date and expiration date, the user must rotate the key manually.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Storage Accounts.
2. For each storage account, under Security + networking, go to Encryption.
3. Set Encryption type to Customer-managed keys.
4. Select an encryption key or enter a key URI.
5. Click Save.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 52c appropriate encryption, cleansing and auditing of devices;		9	9		no data
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22		no data
💼 CIS Azure v1.3.0 → 💼 3.9 Ensure storage for critical data are encrypted with Customer Managed Key - Level 2 (Automated)		1	1		no data
💼 CIS Azure v1.4.0 → 💼 3.9 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys - Level 2 (Manual)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) - Level 2 (Manual)			1		no data
💼 CIS Azure v3.0.0 → 💼 4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) (Manual)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			44		no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		25	26		no data
💼 FedRAMP High Security Controls → 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H)	1	9	11		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	24		no data
💼 FedRAMP Low Security Controls → 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H)			11		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		24		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H)			11		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		24		no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.2 Key management		9	12		no data
💼 NIST CSF v1.1 → 💼 PR.DS-1: Data-at-rest is protected		15	30		no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		30	32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	16	25		no data
💼 PCI DSS v3.2.1 → 💼 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.		7	12		no data
💼 PCI DSS v4.0.1 → 💼 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.			13		no data
💼 PCI DSS v4.0.1 → 💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.			12		no data
💼 PCI DSS v4.0 → 💼 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.		8	13		no data
💼 PCI DSS v4.0 → 💼 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.			12		no data
💼 SOC 2 → 💼 CC6.1-11 Protects Encryption Keys		6	9		no data