Storage accounts should have infrastructure encryption with CMK / Private Endpoints / Restrict network

[shawngib]

Benefit/Result/Outcome

• Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled.
• Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key
• Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account
• Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients
• Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts*

Description
Since the only storage currently deployed is used for diagnostic settings this should be considered as part of 'central diagnostic logging issue' For the purposes of MLZ this requirements should be documented as to how to enable it and it should be.

Acceptance Criteria

• Document policy requirement and setting encryption instructions. It does not appear to be setting in terraform azurerm.
• Document policy requirement and setting customer-managed key for encryption. It does not appear to be setting in terraform azurerm
• Document policy requirement and setting Storage accounts should use private link instructions.
• Document policy for network settings - Restricted access and private link.