Share via

Questions about Azure Encryption

Arnaldo Morales Busato 20 Reputation points
2023-10-01T08:54:53.53+00:00

I have some doubst about how Microsoft Azure Encryption works. I come from AWS, and it seems that we have some security controls in AWS regarding encryption keys, we have not in Azure. For example:

  • In AWS, if a disk is encrypted using a specific Customer Managed Key (CMK), if that user has not access to the CMK, then the user cannot start up an EC2 instance with that encrypted disk. I have made some tests, and it it looks it is not the case in Azure.
  • Same happens in AWS when you want to create a snapshot of an ecnrypted disk, you need access to the CMK. It is not the case in Azure.
  • In AWS, when you use a CMK to encrypt files in S3, if a user with full S3 acess in IAM but without access to the CMK tries to read files from S3, the user is not able to do it. This is not the case in Azure.

So, CMK are just there in Azure for the encryption at rest, and it has not anything to do about if users are able or not to access the data, right? In my tests, having permissions to the encryption keys is just necessary to be able to select them when you want to enable encryption on resources.

On the other hand, why do we have the "Cryptographic Operations" option for Encrypt/Decrypt in the Key Vault Access Policies? I mean, I have an user without these permissions, and the user is still able to encrypt Disks without problem, because he has the all the Key Management Operations enabled. I am struggling to understand the use case for "Cryptographic Operations".

Thanks.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,468 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
162 questions
Accepted answer
  1. Sumarigo-MSFT 43,911 Reputation points Microsoft Employee
    2023-11-06T03:37:25.13+00:00

    @Arnaldo Morales Busato Apologies for the delay response! Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    In regards to this question: So, CMK are just there in Azure for the encryption at rest, and it has not anything to do about if users are able or not to access the data, right? Yes, this is correct, the Azure implementation of CMK is to protect data at rest. It is not an access control mechanism.

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest