Customer Managed Keys not configured #181
Labels
bug
Something isn't working
EPIC - Pen-test fixes
Fixing security issues found during penetration testing
MVP
Things that need to be considered for the MVP release
The penetration testing report showed that (page 42):
By default, all resources within Azure are encrypted with Microsoft Managed keys at rest. These keys are fully managed by Microsoft and will be automatically rotated and re-generated, as per their own compliance requirements.
With Customer-managed keys (CMK), Azure customers have control over the key and therefore more control over the data it protects, providing greater flexibility and allowing them to enforce their own key rotation policies. In the event of a security incident, the affected key can simply be revoked to prevent further compromise. CMKs also allow for tracking and monitoring of when the key is used, helping detect unauthorised attempts to access data.
Additionally, Microsoft can be compelled by legal request to hand over all encryption keys, which can happen without the customer being notified.
Microsoft-managed encryption keys were found to be in use on the following resources:
This is a medium level risk, but is something we must fix before the next pen-test.
The text was updated successfully, but these errors were encountered: