AzPolicyAdvertizer

last sync: 2025-May-30 17:23:33 UTC

Queue Storage should use customer-managed key for encryption

Azure BuiltIn Policy definition

Source Azure Portal
Display name Queue Storage should use customer-managed key for encryption
Id f0e5abd0-2554-4736-b7c0-4ffef23475ef
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Storage
Microsoft Learn
Description Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Storage/storageAccounts/encryption.keySource Microsoft.Storage storageAccounts properties.encryption.keySource True False
Microsoft.Storage/storageAccounts/encryption.services.queue.keyType Microsoft.Storage storageAccounts properties.encryption.services.queue.keyType True False
Rule resource types IF (1)
Compliance
The following 2 compliance controls are associated with this Policy definition 'Queue Storage should use customer-managed key for encryption' (f0e5abd0-2554-4736-b7c0-4ffef23475ef)
Loading extensions...Loading extensions...
Rows: 1-2 / 2

Columns:

Close

Columns▼Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 1
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
op.exp.10 Cryptographic key protection op.exp.10 Cryptographic key protection 404 not found n/a n/a 50
SO .3 - Customer-Managed Keys SO.3 - Customer-Managed Keys 404 not found n/a n/a 14
Initiatives usage
Rows: 1-5 / 5
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 1
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Deny or Audit resources without Encryption with a customer-managed key (CMK) Enforce-Encryption-CMK Encryption Deprecated ALZ
[Preview]: Control the use of Storage Accounts in a Virtual Enclave ca122c06-05f6-4423-9018-ccb523168eb2 VirtualEnclaves Preview BuiltIn true
Deny or Audit resources without Encryption with a customer-managed key (CMK) Enforce-Encryption-CMK_20250218 Encryption GA ALZ
Sovereignty Baseline - Confidential Policies 03de05a4-c324-4ccd-882f-a814ea8ab9ea Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-02-18 17:44:00 add f0e5abd0-2554-4736-b7c0-4ffef23475ef
JSON compare n/a
JSON
api-version=2021-06-01
EPAC 
{7 items
  • displayName: "Queue Storage should use customer-managed key for encryption",
  • policyType: "BuiltIn",
  • mode: "Indexed",
  • description: "Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.",
  • metadata: {2 items
    • version: "1.0.0",
    • category: "Storage"
    },
  • parameters: {1 item},
  • policyRule: {2 items
    • if: {1 item
      • allOf: [3 items
        • {2 items
          • field: "type",
          • equals: "Microsoft.Storage/storageAccounts"
          },
        • {2 items
          • field: "Microsoft.Storage/storageAccounts/encryption.keySource",
          • equals: "Microsoft.Keyvault"
          },
        • {2 items
          • field: "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
          • notEquals: "Account"
          }
        ]
      },
    • then: {1 item
      • effect: "[parameters('effect')]"
      }
    }
}