General availability: New Azure policy built-in definitions for data encryption in Azure Monitor
Published date: 14 April, 2021
Customer-managed keys are useful to your scenarios if you have special compliance requirements and need to manage keys in your Azure Key Vault. With Azure Policy, you can enforce organisational standards and assess compliance of data encryption settings in your environment. Azure Monitor now provides built-in policy definitions for data encryption governance and control over the key being used by the encryption at rest.
Available built-in policy definitions for data encryption:
- Azure Monitor logs clusters should be encrypted with a customer-managed key – Audit if log analytics cluster is defined with a customer-managed key.
- Azure Monitor logs clusters should be created with infrastructure-encryption enabled (double encryption) – Audit if log analytics cluster is created with infrastructure enabled.
- Azure Monitor logs for application insights should be linked to a log analytics workspace – Audit if application insights are linked to a stored data in log analytics workspace. Workspace can then be linked to a log analytics cluster for customer-managed key settings.
- Saved queries in Azure Monitor should be saved in a customer storage account for logs encryption – Audit if workspace has a linked storage account, which allows encryption using a customer-managed key.
Learn more about data encryption.
Learn more about customer-managed keys.