Customer Managed Keys for SSE using ARM or Azure Policy
A common requirement we have is to re-configure Storage Accounts to use Customer Managed Keys for Storage Service Encryption (SSE). Currently, this can only be achieved manually through the Azure Portal, or through a sequence of PowerShell commands.
To improve manageability and compliance with corporate governance policies, we would like the ability to configure Storage Service Encryption (SSE) as it's own Resource Type using ARM Templates. This would be similar to how "SQL Transparent Data Encrytpion" can be configured... https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2014-04-01/servers/databases/transparentdataencryption
This would allow us to:
a) Create new Storage Accounts with Customer Managed Keys configured by default
b) Use Azure Policy to enforce compliance of encryption by using "deployIfNotExists" to configure Storage Service Encryption (SSE)
We have already successfully requested the addition of encryption Aliases to Azure Policy (https://github.com/Azure/azure-policy/issues/210) and are now hoping to take this to the next level by using Azure Policy to enforce the desired configuration.