AKS OS and data disks should be encrypted by CMK
HIGH
Ensures AKS cluster OS and data disks use customer-managed keys for encryption.
What does this mean?
This recommendation ensures that OS disks and data disks used by AKS node pools are encrypted using customer-managed keys (CMK) instead of the default platform-managed keys.
Benefits of implementation
- Full control over encryption keys for AKS node disks
- Meets regulatory requirements for key management in Kubernetes environments
- Consistent encryption strategy across compute resources
Drawbacks and considerations
- Requires Azure Key Vault with disk encryption set configuration
- Adds complexity to AKS cluster provisioning
- Key availability impacts cluster node operations
Implementation
Implementation guidance coming soon.
Related recommendations
Related recommendations will be linked here.
Frameworks
Details
- Risk Level
- HIGH
- Category
- Kubernetes / AKS
- Azure Resource
- Frameworks
- 1 frameworks
- Last updated
- 2026-02-12