Storage Accounts for critical data should be encrypted with Customer Managed Keys¶
Description¶
Although Storage Accounts are encrypted by default with Microsoft-managed keys, customer-managed keys provide additional security controls. Users can choose when to rotate their keys per compliance and security requirements, and provide users with a means to prevent Azure from accessing their data by disabling keys.
Remediation Steps¶
Azure Portal¶
Navigate to Storage Accounts.
For each storage account, go to Encryption.
Set Encryption type to Customer-managed keys.
Use option Select from key vault or Enter key URI to set up encryption with your own key.
Click Save.
Azure CLI¶
To encrypt a storage account with a customer-managed key:
az storage account update --name <storage account name> --resource-group <resource group name> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>