AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

Queue Storage should use customer-managed key for encryption

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Queue Storage should use customer-managed key for encryption

f0e5abd0-2554-4736-b7c0-4ffef23475ef

Version

1.0.0
Details on versioning

Versioning

Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]

Category

Storage
Microsoft Learn

Description

Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.

Cloud environments

AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown

Available in AzUSGov

The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'

Mode

Indexed

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Audit
Allowed
Audit, Deny, Disabled

RBAC role(s)

none

Rule aliases

IF (2)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.Storage/storageAccounts/encryption.keySource	Microsoft.Storage	storageAccounts	properties.encryption.keySource	True		False
Microsoft.Storage/storageAccounts/encryption.services.queue.keyType	Microsoft.Storage	storageAccounts	properties.encryption.services.queue.keyType	True		False

Rule resource types

IF (1)

Microsoft.Storage/storageAccounts

Compliance

The following 2 compliance controls are associated with this Policy definition 'Queue Storage should use customer-managed key for encryption' (f0e5abd0-2554-4736-b7c0-4ffef23475ef)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
	op.exp.10 Cryptographic key protection	op.exp.10 Cryptographic key protection	404 not found				n/a	n/a		50
SO	.3 - Customer-Managed Keys	SO.3 - Customer-Managed Keys	404 not found				n/a	n/a		14

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type	polSet in AzUSGov
[Deprecated]: Deny or Audit resources without Encryption with a customer-managed key (CMK)	Enforce-Encryption-CMK	Encryption	Deprecated	ALZ
[Preview]: Control the use of Storage Accounts in a Virtual Enclave	ca122c06-05f6-4423-9018-ccb523168eb2	VirtualEnclaves	Preview	BuiltIn	true
Deny or Audit resources without Encryption with a customer-managed key (CMK)	Enforce-Encryption-CMK_20250218	Encryption	GA	ALZ
Sovereignty Baseline - Confidential Policies	03de05a4-c324-4ccd-882f-a814ea8ab9ea	Regulatory Compliance	GA	BuiltIn	unknown
Spain ENS	175daf90-21e1-4fec-b745-7b4c909aa94c	Regulatory Compliance	GA	BuiltIn	unknown

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-02-18 17:44:00	add	f0e5abd0-2554-4736-b7c0-4ffef23475ef

JSON compare

n/a

JSON

api-version=2021-06-01
EPAC