Storage Accounts for critical data should be encrypted with Customer Managed Keys


Although Storage Accounts are encrypted by default with Microsoft-managed keys, customer-managed keys provide additional security controls. Users can choose when to rotate their keys per compliance and security requirements, and provide users with a means to prevent Azure from accessing their data by disabling keys.

Remediation Steps

Azure Portal

  • Navigate to Storage Accounts.

  • For each storage account, go to Encryption.

  • Set Encryption type to Customer-managed keys.

  • Use option Select from key vault or Enter key URI to set up encryption with your own key.

  • Click Save.

Azure CLI

  • To encrypt a storage account with a customer-managed key:

    • az storage account update --name <storage account name> --resource-group <resource group name> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>