[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data |
Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. |
Audit, Deny, Disabled |
1.0.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines |
Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. |
AuditIfNotExists, Disabled |
6.0.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets |
Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. |
AuditIfNotExists, Disabled |
5.1.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines |
Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. |
AuditIfNotExists, Disabled |
4.0.0-preview |
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets |
Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. |
AuditIfNotExists, Disabled |
3.1.0-preview |
[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) |
Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. |
Audit, Deny, Disabled |
1.0.0-preview |
[Preview]: Secure Boot should be enabled on supported Windows virtual machines |
Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. |
Audit, Disabled |
4.0.0-preview |
[Preview]: vTPM should be enabled on supported virtual machines |
Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. |
Audit, Disabled |
2.0.0-preview |
Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) |
Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. |
Audit, Deny, Disabled |
2.2.0 |
Azure API for FHIR should use a customer-managed key to encrypt data at rest |
Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. |
audit, Audit, disabled, Disabled |
1.1.0 |
Azure Automation accounts should use customer-managed keys to encrypt data at rest |
Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. |
Audit, Deny, Disabled |
1.0.0 |
Azure Batch account should use customer-managed keys to encrypt data |
Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. |
Audit, Deny, Disabled |
1.0.1 |
Azure Batch pools should have disk encryption enabled |
Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. |
Audit, Disabled, Deny |
1.0.0 |
Azure Container Instance container group should use customer-managed key for encryption |
Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |
Audit, Disabled, Deny |
1.0.0 |
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest |
Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. |
audit, Audit, deny, Deny, disabled, Disabled |
1.1.0 |
Azure Data Box jobs should enable double encryption for data at rest on the device |
Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. |
Audit, Deny, Disabled |
1.0.0 |
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password |
Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. |
Audit, Deny, Disabled |
1.0.0 |
Azure Data Explorer encryption at rest should use a customer-managed key |
Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. |
Audit, Deny, Disabled |
1.0.0 |
Azure data factories should be encrypted with a customer-managed key |
Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. |
Audit, Deny, Disabled |
1.0.1 |
Azure Edge Hardware Center devices should have double encryption support enabled |
Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. |
Audit, Deny, Disabled |
2.0.0 |
Azure HDInsight clusters should use customer-managed keys to encrypt data at rest |
Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. |
Audit, Deny, Disabled |
1.0.1 |
Azure HDInsight clusters should use encryption at host to encrypt data at rest |
Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. |
Audit, Deny, Disabled |
1.0.0 |
Azure Machine Learning workspaces should be encrypted with a customer-managed key |
Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. |
Audit, Deny, Disabled |
1.1.0 |
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) |
To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. |
audit, Audit, deny, Deny, disabled, Disabled |
1.1.0 |
Azure Monitor Logs clusters should be encrypted with customer-managed key |
Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. |
audit, Audit, deny, Deny, disabled, Disabled |
1.1.0 |
Azure Stream Analytics jobs should use customer-managed keys to encrypt data |
Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. |
audit, Audit, deny, Deny, disabled, Disabled |
1.1.0 |
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest |
Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. |
Audit, Deny, Disabled |
1.0.0 |
Bot Service should be encrypted with a customer-managed key |
Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. |
audit, Audit, deny, Deny, disabled, Disabled |
1.1.0 |
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys |
Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. |
Audit, Deny, Disabled |
1.0.1 |
Container registries should be encrypted with a customer-managed key |
Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. |
Audit, Deny, Disabled |
1.1.2 |
Disk encryption should be enabled on Azure Data Explorer |
Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. |
Audit, Deny, Disabled |
2.0.0 |
Double encryption should be enabled on Azure Data Explorer |
Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. |
Audit, Deny, Disabled |
2.0.0 |
Event Hub namespaces should use a customer-managed key for encryption |
Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. |
Audit, Disabled |
1.0.0 |
HPC Cache accounts should use customer-managed key for encryption |
Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |
Audit, Disabled, Deny |
2.0.0 |
Infrastructure encryption should be enabled for Azure Database for MySQL servers |
Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. |
Audit, Deny, Disabled |
1.0.0 |
Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers |
Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys |
Audit, Deny, Disabled |
1.0.0 |
Logic Apps Integration Service Environment should be encrypted with customer-managed keys |
Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |
Audit, Deny, Disabled |
1.0.0 |
Managed disks should be double encrypted with both platform-managed and customer-managed keys |
High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. |
Audit, Deny, Disabled |
1.0.0 |
MySQL servers should use customer-managed keys to encrypt data at rest |
Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |
AuditIfNotExists, Disabled |
1.0.4 |
OS and data disks should be encrypted with a customer-managed key |
Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. |
Audit, Deny, Disabled |
3.0.0 |
PostgreSQL servers should use customer-managed keys to encrypt data at rest |
Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |
AuditIfNotExists, Disabled |
1.0.4 |
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption |
Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. |
audit, Audit, deny, Deny, disabled, Disabled |
1.1.0 |
Service Bus Premium namespaces should use a customer-managed key for encryption |
Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. |
Audit, Disabled |
1.0.0 |
SQL managed instances should use customer-managed keys to encrypt data at rest |
Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |
Audit, Deny, Disabled |
2.0.0 |
SQL servers should use customer-managed keys to encrypt data at rest |
Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |
Audit, Deny, Disabled |
2.0.1 |
Storage account encryption scopes should use customer-managed keys to encrypt data at rest |
Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. |
Audit, Deny, Disabled |
1.0.0 |
Storage accounts should have infrastructure encryption |
Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. |
Audit, Deny, Disabled |
1.0.0 |
Storage accounts should use customer-managed key for encryption |
Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |
Audit, Disabled |
1.0.3 |
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host |
To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. |
Audit, Deny, Disabled |
1.0.1 |
Transparent Data Encryption on SQL databases should be enabled |
Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |
AuditIfNotExists, Disabled |
2.0.0 |
Virtual machines and virtual machine scale sets should have encryption at host enabled |
Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. |
Audit, Deny, Disabled |
1.0.0 |