AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest

Azure BuiltIn Policy definition

Source Azure Portal
Display name PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest
Id 12c74c95-0efd-48da-b8d9-2a7d68470c92
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 2
1.1.0
1.0.0
Built-in Versioning [Preview]
Category PostgreSQL
Microsoft Learn
Description Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.primaryKeyURI Microsoft.DBforPostgreSQL flexibleServers properties.dataEncryption.primaryKeyURI True False
Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.type Microsoft.DBforPostgreSQL flexibleServers properties.dataEncryption.type True False
Rule resource types IF (1)
Compliance
The following 1 compliance controls are associated with this Policy definition 'PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest' (12c74c95-0efd-48da-b8d9-2a7d68470c92)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 DP-5 Azure_Security_Benchmark_v3.0_DP-5 Microsoft cloud security benchmark DP-5 Data Protection DP-5 Use customer-managed key option in data at rest encryption when required Shared **Security Principle:** If required for regulatory compliance, define the use case and service scope where customer-managed key option is needed. Enable and implement data at rest encryption using customer-managed key in services. **Azure Guidance:** Azure also provides encryption option using keys managed by yourself (customer-managed keys) for certain services. However, using customer-managed key option requires additional operational efforts to manage the key lifecycle. This may include encryption key generation, rotation, revoke and access control, etc. **Implementation and additional context:** Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Services that support encryption using customer-managed key: https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services How to configure customer managed encryption keys in Azure Storage: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal n/a link 47
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Preview]: Microsoft cloud security benchmark v2 e3ec7e09-768c-4b64-882c-fcada3772047 Security Center Preview BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-07-30 18:18:24 change Minor (1.0.0 > 1.1.0)
2024-06-14 18:20:16 add 12c74c95-0efd-48da-b8d9-2a7d68470c92
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC