Storage accounts should use CMK for encryption
HIGH
Ensures storage accounts use customer-managed keys for encryption instead of platform-managed keys.
What does this mean?
This optional recommendation enforces customer-managed key encryption on Azure Storage accounts. This provides full control over the encryption key lifecycle, including rotation and revocation.
Benefits of implementation
- Full control over encryption key lifecycle
- Meets regulatory requirements for customer-managed encryption
- Enables integration with centralized key management
Drawbacks and considerations
- Requires Azure Key Vault infrastructure
- Key unavailability makes storage data inaccessible
- Adds operational complexity for key rotation and monitoring
Implementation
Implementation guidance coming soon.
Related recommendations
Related recommendations will be linked here.
Frameworks
Details
- Risk Level
- HIGH
- Category
- Storage Security
- Azure Resource
- Frameworks
- 1 frameworks
- Last updated
- 2026-02-12