Storage Account Does Not Require Infrastructure Encryption

Overview

Azure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption, which is one of the strongest, FIPS 140-2-compliant block ciphers available. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised.

Similarly, data is encrypted even before network transmission and in all backups. In this scenario, the additional layer of encryption continues to protect your data. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.

By default, Infrastructure Encryption is disabled in blob creation.

Vendor

Azure

Cloud Service

Storage

CIS Azure v2.0.0 3.2

References

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-encryptionstatus, https://docs.microsoft.com/en-us/azure/storage/common/storage-serviceencryption, https://docs.microsoft.com/en-us/azure/storage/common/infrastructureencryption-enale, https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default

Severity

Item Types

Microsoft.Storage.storageAccounts

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​