Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
Azure
Loading controls...

Control: Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)

Configures auditing against a CIS Benchmark item.

Level: 2

Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.

By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues,and tables. All object metadata is also encrypted. If you want to control and manage this encryption key yourself, however, you can specify a customer-managed key. That key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.

While it is possible to automate the assessment of this recommendation, the assessment status for this recommendation remains 'Manual.' This is because the recommendation pertains to storage accounts that store critical data and is therefore not applicable to all storage accounts.

Resource Types

This control targets the following resource types:

  • Azure > Storage > Storage Account

Policies

This control type relies on these other policies when running actions:

  • Azure > CIS v3.0
  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
  • Azure > CIS v3.0 > 04 - Storage Accounts

Category

  • CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.08 Encrypt Sensitive Information at Rest

In Your Workspace

  • Controls by Resource report
  • Controls by Control Type report

Developers

    Control Type URI
    • tmod:@turbot/azure-cisv3-0#/control/types/r0411
    • Category URI
    • tmod:@turbot/cis#/control/categories/v071408
    • GraphQL
    • query controlType(id: "tmod:@turbot/azure-cisv3-0#/control/types/r0411") { … }
    • query controls(filter: "controlTypeId:'tmod:@turbot/azure-cisv3-0#/control/types/r0411'") { … }
    • CLI
    • Get Controls
    • turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv3-0#/control/types/r0411"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
50
Mods
204
Resource Types
3,575
Policies
1,941
Controls
103
Quick Actions
111
IAM