Azure-StorageAccounts-Storage-Accounts-Encryption

Severity : High

Description: This control ensures that encryption of sensitive data at rest using Customer Managed Key. Data in Azure Monitor is encrypted with Microsoft-managed key or using Customer-managed keys. Using a customer-managed key to protect and control access to data is encrypted with your Azure Key Vault key. Customer-managed keys offer greater flexibility to manage access controls.

Remediation Steps:

Perform following to update encryption parameters:

1. Login to Azure Portal using https://portal.azure.com.

2. Go to Storage Account.

3. For each storage account, Click Encryption under Settings.

4. Set Customer Managed Keys.

5. Select the Encryption key and enter the appropriate setting value.

6. Click Save.

Important:

Reference:

• CIS Microsoft Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #3.9

• https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption

• https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest

• https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption