Control: Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) > 02.01.01.02.01 - Ensure Critical Data is Encrypted with Customer Managed Keys (CMK)

Configures auditing against a CIS Benchmark item.

Level: 2

Customer Managed Keys introduce additional depth to security by providing a means to manage access control for encryption keys. Where compliance and security frameworks indicate the need, and organizational capacity allows, sensitive data at rest can be encrypted using Customer Managed Keys (CMK) rather than Microsoft Managed keys.

By default in Azure, data at rest tends to be encrypted using Microsoft Managed Keys. If your organization wants to control and manage encryption keys for compliance and defense-in-depth, Customer Managed Keys can be established.

While it is possible to automate the assessment of this recommendation, the assessment status for this recommendation remains 'Manual' due to ideally limited scope. The scope of application - which workloads CMK is applied to - should be carefully considered to account for organizational capacity and targeted to workloads with specific need for CMK.