last sync: 2020-Oct-01 14:15:17 UTC

Azure Policy

Storage account should use customer-managed key for encryption

Policy DisplayName Storage account should use customer-managed key for encryption
Policy Id 6fac406b-40ca-413b-bf8e-0bf964659c25
Policy Category Storage
Policy Description Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: Audit
Allowed: (Audit,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-08-18 14:06:57 add: Policy 6fac406b-40ca-413b-bf8e-0bf964659c25
Used in Policy Initiative(s) none
Policy Rule
{
  "properties": {
    "displayName": "Storage account should use customer-managed key for encryption",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "not": {
              "field": "Microsoft.Storage/storageAccounts/encryption.keySource",
              "equals": "Microsoft.Keyvault"
            }
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6fac406b-40ca-413b-bf8e-0bf964659c25"
}