Deny or Audit resources without Encryption with a customer-managed key (CMK)

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Policy DisplayName

Policy Id

Category

Effect

Roles#

Roles

State

Type

[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

0961003e-5a0a-4549-abde-af6a37f2724d

Security Center

Default
Disabled
Allowed
AuditIfNotExists, Disabled

Deprecated

BuiltIn

[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data

2e94d99a-8a36-4563-bc77-810d8893b671

Backup

Default
Audit
Allowed
Audit, Deny, Disabled

Preview

BuiltIn

Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)

67121cc7-ff39-4ab8-b7e3-95b84dab487d

Cognitive Services

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure API for FHIR should use a customer-managed key to encrypt data at rest

051cba44-2429-45b9-9649-46cec11c7119

API for FHIR

Default
Audit
Allowed
audit, Audit, disabled, Disabled

BuiltIn

Azure Automation accounts should use customer-managed keys to encrypt data at rest

56a5ee18-2ae6-4810-86f7-18e39ce5629b

Automation

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Batch account should use customer-managed keys to encrypt data

99e9ccd8-3db9-4592-b0d1-14b1715a4d8a

Batch

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Cognitive Search services should use customer-managed keys to encrypt data at rest

76a56461-9dc0-40f0-82f5-2453283afa2f

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Container Instance container group should use customer-managed key for encryption

0aa61e00-0a01-4a3c-9945-e93cffedf0e6

Container Instance

Default
Audit
Allowed
Audit, Disabled, Deny

BuiltIn

Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest

1f905d99-2ab7-462c-a6b0-f709acca6c8f

Cosmos DB

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

BuiltIn

Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password

86efb160-8de7-451d-bc08-5d475b0aadae

Data Box

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Data Explorer encryption at rest should use a customer-managed key

81e74cea-30fd-40d5-802f-d72103c2aaaa

Azure Data Explorer

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure data factories should be encrypted with a customer-managed key

4ec52d6d-beb7-40c4-9a9e-fe753254690e

Data Factory

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Machine Learning workspaces should be encrypted with a customer-managed key

ba769a63-b8cc-4b2d-abf6-ac33c7204be8

Machine Learning

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Azure Stream Analytics jobs should use customer-managed keys to encrypt data

87ba29ef-1ab3-4d82-b763-87fcd4f531f7

Stream Analytics

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

BuiltIn

Azure Synapse workspaces should use customer-managed keys to encrypt data at rest

f7d52b2d-e161-4dfa-a82b-55e564167385

Synapse

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Bot Service should be encrypted with a customer-managed key

51522a96-0869-4791-82f3-981000c2c67f

Bot Service

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

BuiltIn

Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys

7d7be79c-23ba-4033-84dd-45e2a5ccdd67

Kubernetes

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Container registries should be encrypted with a customer-managed key

5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580

Container Registry

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Event Hub namespaces (Premium) should use a customer-managed key for encryption

Deny-EH-Premium-CMK

Event Hub

Default
Deny
Allowed
Audit, Deny, Disabled

ALZ

Event Hub namespaces should use a customer-managed key for encryption

a1ad735a-e96f-45d2-a7b2-9a4932cab7ec

Event Hub

Default
Audit
Allowed
Audit, Disabled

BuiltIn

MySQL servers should use customer-managed keys to encrypt data at rest

83cef61d-dbd1-4b20-a4fc-5fbc7da10833

SQL

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

BuiltIn

OS and data disks should be encrypted with a customer-managed key

702dd420-7fcc-42c5-afe8-4026edd20fe0

Compute

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

PostgreSQL servers should use customer-managed keys to encrypt data at rest

18adea5e-f416-4d0f-8aa8-d24321e3e274

SQL

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

BuiltIn

Queue Storage should use customer-managed key for encryption

f0e5abd0-2554-4736-b7c0-4ffef23475ef

Storage

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Service Bus Premium namespaces should use a customer-managed key for encryption

295fc8b1-dc9f-4f53-9c61-3f313ceab40a

Service Bus

Default
Audit
Allowed
Audit, Disabled

BuiltIn

SQL managed instances should use customer-managed keys to encrypt data at rest

ac01ad65-10e5-46df-bdd9-6b0cad13e1d2

SQL

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

SQL servers should use customer-managed keys to encrypt data at rest

0a370ff3-6cab-4e85-8995-295fd854c5b8

SQL

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Storage account encryption scopes should use customer-managed keys to encrypt data at rest

b5ec538c-daa0-4006-8596-35468b9148e8

Storage

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Storage accounts should use customer-managed key for encryption

6fac406b-40ca-413b-bf8e-0bf964659c25

Storage

Default
Audit
Allowed
Audit, Disabled

BuiltIn

Table Storage should use customer-managed key for encryption

7c322315-e26d-4174-a99e-f49d351b4688

Storage

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn