Profile Applicability:
Level 2
Description:
Customer Managed Keys (CMK) enable organizations to have full control over the encryption keys used to protect their critical data at rest in Azure services. CMKs are stored in Azure Key Vault or managed HSM, allowing customers to define key rotation policies, perform key lifecycle management, and revoke access independently from the service.
Rationale:
Using CMKs enhances security by giving organizations direct control over their encryption keys, meeting strict compliance and regulatory requirements. It enables better auditability, key rotation, and revocation capabilities beyond what Microsoft Managed Keys provide. This reduces risks associated with unauthorized access to sensitive data and strengthens overall data protection.
Impact:
Pros:
Full control over key lifecycle management, including rotation and revocation.
Greater compliance support with key ownership and auditing requirements.
Enables separation of duties between data owners and cloud service providers.
Cons:
Increased operational overhead to manage keys securely.
Requires proper configuration and monitoring to avoid service disruption.
Possible additional costs for Azure Key Vault and HSM usage.
Default Value:
By default, many Azure services use Microsoft Managed Keys for encryption unless explicitly configured for CMK.
Pre-requisites:
Azure Key Vault or Managed HSM set up with appropriate permissions.
Access rights to configure encryption settings on Azure resources.
Understanding of key management best practices.
Remediation
Test Plan:
Using Azure Portal:
Navigate to https://portal.azure.com.
Open the relevant Azure resource (e.g., Storage Account, SQL Database, Key Vault).
Go to Encryption or Settings section.
Verify that encryption uses Customer Managed Keys from Key Vault or Managed HSM.
Confirm the correct key URI is configured and accessible.
Using Azure CLI:
1. For Storage Account, check encryption settings and keySource:
az storage account show --name <storage-account-name> --resource-group <resource-group> --query encryption.keySource
2. It should return Microsoft.Keyvault indicating CMK use.
3. For SQL Database, verify encryption protector type:
az sql server tde-key show --server <server-name> --resource-group <resource-group>
4. Confirm it is set to AzureKeyVault.
Implementation Plan
Using Azure Portal:
Create or select an existing Key Vault containing the customer-managed key.
Assign required permissions for the Azure resource to access the Key Vault key.
Navigate to the Azure resource’s Encryption settings.
Select Customer Managed Keys as the encryption method and specify the Key Vault key URI.
Save the configuration and validate encryption is active with CMK.
Using Azure CLI:
1. Assign access policy to the resource identity to Key Vault:
az keyvault set-policy --name <keyvault-name> --object-id <resource-identity-object-id> --key-permissions get wrapKey unwrapKey
2. Update storage account encryption settings:
az storage account update --name <storage-account-name> --resource-group <resource-group> --encryption-key-source Microsoft.Keyvault --encryption-key-vault-uri <key-vault-key-uri>
3. For SQL Server Transparent Data Encryption (TDE) with CMK:
az sql server tde-key set --server <server-name> --resource-group <resource-group> --kid <key-vault-key-uri>
Backout Plan
Using Azure Portal:
Switch encryption back to Microsoft Managed Keys if needed.
Remove or modify Key Vault access policies accordingly.
Using Azure CLI:
1. Reset encryption key source to Microsoft Managed Keys:
az storage account update --name <storage-account-name> --resource-group <resource-group> --set encryption.keySource=Microsoft.Storage
2. For SQL Server, set TDE protector back to service-managed:
az sql server tde-key set --server <server-name> --resource-group <resource-group> --type ServiceManaged
References: