Control: Azure > AI Foundry > Account > Encryption at Rest

Define the Encryption at Rest settings required for Azure > AI Foundry > Account.

Three-tier policy (mirrors @turbot/azure-storage):

- Microsoft managed key — the account must be encrypted with a Microsoft-managed key (the Azure default). - Customer managed key — the account must be encrypted with any customer-managed key. The Customer Managed Key sub-policy is optional for Check and required for Enforce. - Encryption at Rest > Customer Managed Key — the account must be encrypted with the specific customer-managed key referenced by the Customer Managed Key sub-policy. The sub-policy is required for both Check and Enforce.

On mismatch the control raises an alarm and (on Enforce: ...) applies the desired encryption setting.

Note: Ensure the key vault key has the Key Vault Crypto Officer role assignment for the AI Foundry account's managed identity.

Resource Types

This control targets the following resource types:

Azure > AI Foundry > Account

Policies

The following policies can be used to configure this control:

Azure > AI Foundry > Account > Encryption at Rest

This control type relies on these other policies when running actions:

Azure > AI Foundry > Account > Encryption at Rest > Customer Managed Key

Permissions

Cloud permissions used by this control and its actions:

microsoft.cognitiveservices/accounts/write

In Your Workspace

Developers

Control Type URI

tmod:@turbot/azure-aifoundry#/control/types/accountEncryptionAtRest

Category URI

tmod:@turbot/turbot#/control/categories/resourceEncryptionAtRest

GraphQL

query controlType(id: "tmod:@turbot/azure-aifoundry#/control/types/accountEncryptionAtRest") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/azure-aifoundry#/control/types/accountEncryptionAtRest'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-aifoundry#/control/types/accountEncryptionAtRest"