Ensure that your Azure Storage accounts are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for data encryption), in order to have a more granular control over your Azure Storage data encryption and decryption process.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
By default, the data (blobs and files) stored within your Azure Storage accounts is encrypted using service-managed keys (i.e. Microsoft Managed Keys), therefore you may want to bring your own key for encrypting your cloud storage account data in order to you gain full control over who can use the encryption keys and who can access the encrypted data.
To determine if your Microsoft Azure Storage account data is encrypted with customer-managed keys (CMKs), perform the following actions:
Remediation / Resolution
To enable encryption at rest using Bring Your Own Keys (BYOKs) for all your Microsoft Azure Storage accounts, perform the following actions:
- Azure Official Documentation
- Create an Azure Storage account
- Configure customer-managed keys with Azure Key Vault by using the Azure portal
- About Azure Key Vault
- Configure customer-managed keys with Azure Key Vault by using Azure CLI
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Use BYOK for Storage Account Encryption
Risk level: High