AzInitiativeAdvertizer

last sync: 2025-Apr-29 17:15:47 UTC

Deny or Audit resources without Encryption with a customer-managed key (CMK)

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source

Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-Encryption-CMK_20250218

Display name

Deny or Audit resources without Encryption with a customer-managed key (CMK)

Id

Enforce-Encryption-CMK_20250218

Version

1.0.0
Details on versioning

Category

Encryption

Description

Deny or Audit resources without Encryption with a customer-managed key (CMK)

Cloud environments

AzureCloud

Type

Custom Azure Landing Zones (ALZ)

Deprecated

False

Preview

False

Replaces PolicySet

This ALZ PolicySet definition replaces [Deprecated]: Deny or Audit resources without Encryption with a customer-managed key (CMK) (Enforce-Encryption-CMK)
More information on Azure Landing Zones deprecated Policy and PolicySet definitions

Policy-used summary

Policy types	Policy states	Policy categories
Total Policies: 30 Builtin Policies: 29 Static Policies: 0 ALZ Policies: 1	Deprecated: 1 GA: 28 Preview: 1	23 categories: API for FHIR: 1 Automation: 1 Azure Data Explorer: 1 Backup: 1 Batch: 1 Bot Service: 1 Cognitive Services: 1 Compute: 1 Container Instance: 1 Container Registry: 1 Cosmos DB: 1 Data Box: 1 Data Factory: 1 Event Hub: 2 Kubernetes: 1 Machine Learning: 1 Search: 1 Security Center: 1 Service Bus: 1 SQL: 4 Storage: 4 Stream Analytics: 1 Synapse: 1

Policy-used

Policy DisplayName	Policy Id	Category	Effect	Roles#	Roles	State	Type	policy in AzUSGov
[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources	0961003e-5a0a-4549-abde-af6a37f2724d	Security Center	Default Disabled Allowed AuditIfNotExists, Disabled	0		Deprecated	BuiltIn	true
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data	2e94d99a-8a36-4563-bc77-810d8893b671	Backup	Default Audit Allowed Audit, Deny, Disabled	0		Preview	BuiltIn	true
Azure AI Search services should use customer-managed keys to encrypt data at rest	76a56461-9dc0-40f0-82f5-2453283afa2f	Search	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	BuiltIn	unknown
Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)	67121cc7-ff39-4ab8-b7e3-95b84dab487d	Cognitive Services	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure API for FHIR should use a customer-managed key to encrypt data at rest	051cba44-2429-45b9-9649-46cec11c7119	API for FHIR	Default Audit Allowed audit, Audit, disabled, Disabled	0		GA	BuiltIn	unknown
Azure Automation accounts should use customer-managed keys to encrypt data at rest	56a5ee18-2ae6-4810-86f7-18e39ce5629b	Automation	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Batch account should use customer-managed keys to encrypt data	99e9ccd8-3db9-4592-b0d1-14b1715a4d8a	Batch	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Container Instance container group should use customer-managed key for encryption	0aa61e00-0a01-4a3c-9945-e93cffedf0e6	Container Instance	Default Audit Allowed Audit, Disabled, Deny	0		GA	BuiltIn	true
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest	1f905d99-2ab7-462c-a6b0-f709acca6c8f	Cosmos DB	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	BuiltIn	true
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password	86efb160-8de7-451d-bc08-5d475b0aadae	Data Box	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Data Explorer encryption at rest should use a customer-managed key	81e74cea-30fd-40d5-802f-d72103c2aaaa	Azure Data Explorer	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure data factories should be encrypted with a customer-managed key	4ec52d6d-beb7-40c4-9a9e-fe753254690e	Data Factory	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Machine Learning workspaces should be encrypted with a customer-managed key	ba769a63-b8cc-4b2d-abf6-ac33c7204be8	Machine Learning	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Azure Stream Analytics jobs should use customer-managed keys to encrypt data	87ba29ef-1ab3-4d82-b763-87fcd4f531f7	Stream Analytics	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	BuiltIn	true
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest	f7d52b2d-e161-4dfa-a82b-55e564167385	Synapse	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Bot Service should be encrypted with a customer-managed key	51522a96-0869-4791-82f3-981000c2c67f	Bot Service	Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled	0		GA	BuiltIn	true
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys	7d7be79c-23ba-4033-84dd-45e2a5ccdd67	Kubernetes	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Container registries should be encrypted with a customer-managed key	5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580	Container Registry	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Event Hub namespaces (Premium) should use a customer-managed key for encryption	Deny-EH-Premium-CMK	Event Hub	Default Deny Allowed Audit, Deny, Disabled	0		GA	ALZ
Event Hub namespaces should use a customer-managed key for encryption	a1ad735a-e96f-45d2-a7b2-9a4932cab7ec	Event Hub	Default Audit Allowed Audit, Disabled	0		GA	BuiltIn	true
MySQL servers should use customer-managed keys to encrypt data at rest	83cef61d-dbd1-4b20-a4fc-5fbc7da10833	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	BuiltIn	unknown
OS and data disks should be encrypted with a customer-managed key	702dd420-7fcc-42c5-afe8-4026edd20fe0	Compute	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
PostgreSQL servers should use customer-managed keys to encrypt data at rest	18adea5e-f416-4d0f-8aa8-d24321e3e274	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA	BuiltIn	true
Queue Storage should use customer-managed key for encryption	f0e5abd0-2554-4736-b7c0-4ffef23475ef	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Service Bus Premium namespaces should use a customer-managed key for encryption	295fc8b1-dc9f-4f53-9c61-3f313ceab40a	Service Bus	Default Audit Allowed Audit, Disabled	0		GA	BuiltIn	true
SQL managed instances should use customer-managed keys to encrypt data at rest	ac01ad65-10e5-46df-bdd9-6b0cad13e1d2	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
SQL servers should use customer-managed keys to encrypt data at rest	0a370ff3-6cab-4e85-8995-295fd854c5b8	SQL	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Storage account encryption scopes should use customer-managed keys to encrypt data at rest	b5ec538c-daa0-4006-8596-35468b9148e8	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Storage accounts should use customer-managed key for encryption	6fac406b-40ca-413b-bf8e-0bf964659c25	Storage	Default Audit Allowed Audit, Disabled	0		GA	BuiltIn	true
Table Storage should use customer-managed key for encryption	7c322315-e26d-4174-a99e-f49d351b4688	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true

Roles used

No Roles used

History

none

JSON compare

n/a

JSON

EPAC