Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
Azure
Loading policies...

Policy: Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)

Configures auditing against a CIS Benchmark item.

Level: 2

Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.

By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues,and tables. All object metadata is also encrypted. If you want to control and manage this encryption key yourself, however, you can specify a customer-managed key. That key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.

While it is possible to automate the assessment of this recommendation, the assessment status for this recommendation remains 'Manual.' This is because the recommendation pertains to storage accounts that store critical data and is therefore not applicable to all storage accounts.

Targets

This policy targets the following resource types:

  • Azure > Storage > Storage Account

Primary Policy

This policy is used with the following primary policy:

  • Azure > CIS v3.0 > 04 - Storage Accounts

Controls

Setting this policy configures this control:

  • Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)

Policy Specification

Schema Type
string
Default
Per Azure > CIS v3.0 > 04 - Storage Accounts
Valid Values [YAML]
  • Per Azure > CIS v3.0 > 04 - Storage Accounts

  • Skip

  • Check: Benchmark

Category

  • CIS > Controls v7 > 14 Controlled Access Based on the Need to Know > 14.08 Encrypt Sensitive Information at Rest

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/cis#/control/categories/v071408
    • Policy Type URI
    • tmod:@turbot/azure-cisv3-0#/policy/types/r0411
    • GraphQL
    • query policyType(id: "tmod:@turbot/azure-cisv3-0#/policy/types/r0411") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r0411'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r0411'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/azure-cisv3-0#/policy/types/r0411"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv3-0#/policy/types/r0411"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
50
Mods
204
Resource Types
3,575
Policies
1,941
Controls
103
Quick Actions
111
IAM