Storage for critical data should be encrypted with Customer Managed Key

azure.storage
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

By default all data in Azure storage account, including blobs, disks, files, queues, tables, and object metadata, is encrypted at rest using Microsoft managed keys. You can enhance the security of your sensitive data by opting for customer-managed keys, which allow you to control and manage the encryption key that protects and controls access to your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.

Remediation

From the console

  1. Open Azure portal at https://portal.azure.com/
  2. Go to your existing storage account.
  3. Inside your storage account, choose Settings then select Encryption.
  4. By default, Azure storage is encrypted with Microsoft managed keys. To modify this, opt for Customer-managed key.
  5. You’ll need to specify a key from your already available Key Vault in the Customer-managed key settings.
  6. Lastly, you can choose to turn on automatic key updates for encryption whenever a new version is available. Locate this setting under the customer-managed key settings and check the box for Automatic key rotation.