AzPolicyAdvertizer

last sync: 2025-Oct-29 18:23:11 UTC

Queue Storage should use customer-managed key for encryption

Azure BuiltIn Policy definition

Source Azure Portal
Display name Queue Storage should use customer-managed key for encryption
Id f0e5abd0-2554-4736-b7c0-4ffef23475ef
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Storage
Microsoft Learn
Description Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Storage/storageAccounts/encryption.keySource Microsoft.Storage storageAccounts properties.encryption.keySource True False
Microsoft.Storage/storageAccounts/encryption.services.queue.keyType Microsoft.Storage storageAccounts properties.encryption.services.queue.keyType True False
Rule resource types IF (1)
Compliance
The following 3 compliance controls are associated with this Policy definition 'Queue Storage should use customer-managed key for encryption' (f0e5abd0-2554-4736-b7c0-4ffef23475ef)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 DP-5 Azure_Security_Benchmark_v3.0_DP-5 Microsoft cloud security benchmark DP-5 Data Protection DP-5 Use customer-managed key option in data at rest encryption when required Shared **Security Principle:** If required for regulatory compliance, define the use case and service scope where customer-managed key option is needed. Enable and implement data at rest encryption using customer-managed key in services. **Azure Guidance:** Azure also provides encryption option using keys managed by yourself (customer-managed keys) for certain services. However, using customer-managed key option requires additional operational efforts to manage the key lifecycle. This may include encryption key generation, rotation, revoke and access control, etc. **Implementation and additional context:** Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Services that support encryption using customer-managed key: https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services How to configure customer managed encryption keys in Azure Storage: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal n/a link 47
op.exp.10 Cryptographic key protection op.exp.10 Cryptographic key protection 404 not found n/a n/a 50
SO .3 - Customer-Managed Keys SO.3 - Customer-Managed Keys 404 not found n/a n/a 14
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Deny or Audit resources without Encryption with a customer-managed key (CMK) Enforce-Encryption-CMK Encryption Deprecated ALZ
[Preview]: Control the use of Storage Accounts in a Virtual Enclave ca122c06-05f6-4423-9018-ccb523168eb2 VirtualEnclaves Preview BuiltIn true
[Preview]: Microsoft cloud security benchmark v2 e3ec7e09-768c-4b64-882c-fcada3772047 Security Center Preview BuiltIn unknown
Deny or Audit resources without Encryption with a customer-managed key (CMK) Enforce-Encryption-CMK_20250218 Encryption GA ALZ
Sovereignty Baseline - Confidential Policies 03de05a4-c324-4ccd-882f-a814ea8ab9ea Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-02-18 17:44:00 add f0e5abd0-2554-4736-b7c0-4ffef23475ef
JSON compare n/a
JSON
api-version=2021-06-01
EPAC