The development team asks you to provision an Azure storage account for their use.
To remain in compliance with IT security policy, you need to ensure that the new Azure storage account meets the following requirements:
* Data must be encrypted at rest.
* Access keys must facilitate automatic rotation.
* The company must manage the access keys.
What should you do?
You should configure the storage account to store its keys in Azure Key Vault. Azure Key Vault provides a mechanism to store secrets, such as storage account keys, user credentials, and digital certificates, securely in the Microsoft Azure cloud. You can access the underlying Representational State Transfer (REST) application programming interface (API) to rotate or retrieve the secrets in your source code.
You should not enable SSE on the storage account for two reasons. First, SSE is enabled automatically on all Azure storage accounts and encrypts all storage account data at rest. Second, SSE in its native form uses Microsoft-managed access keys, which violates the scenario constraint for customer-managed keys.
You should not require secure transfer for the storage account. Secure transfer forces all REST API calls to use HTTPS instead of HTTP. This feature has nothing to do with either access keys or their management and rotation.
You should not create a service endpoint between the storage account and a VNet. A service endpoint allows you limit traffic to a storage account from resources residing on an Azure VNet.