Ensure that Infrastructure Encryption feature is enabled for your Azure Storage accounts in order to use encryption at the hardware level on top of the default software encryption provided by Microsoft Azure cloud.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
By default, the data stored within your Microsoft Azure Storage accounts (blobs, disks, files, queues, and tables) is automatically encrypted at rest using 256-bit AES encryption. For Azure customers seeking enhanced data security, an option is to enable encryption at the infrastructure level of Azure Storage, providing double encryption. This approach safeguards Azure Storage data by applying two encryption layers, which helps mitigate potential risks associated with compromised encryption algorithms or keys. Furthermore, the data is encrypted prior to network transmission and during all backup processes, ensuring continuous protection.
Audit
To determine if infrastructure encryption is enabled for your Microsoft Azure Storage accounts, perform the following actions:
Remediation / Resolution
Infrastructure encryption adds an additional layer of encryption to your storage account's data. To enable infrastructure encryption for your existing Microsoft Azure Storage accounts, you must re-create your storage accounts with the appropriate encryption configuration by performing the following actions:
References
- Azure Official Documentation
- Azure Storage encryption for data at rest
- Enable infrastructure encryption for double encryption of data
- Security Control v3: Data protection
- Azure PowerShell Documentation
- az storage account list
- az storage account show
- az storage account create