Merge pull request #853 from PatrickFarley/cogserv

denrea · web-flow · commit 0daf95296df4 · 2024-10-16T14:21:05.000-07:00
update doc
diff --git a/articles/ai-services/encryption/cognitive-services-encryption-keys-portal.md b/articles/ai-services/encryption/cognitive-services-encryption-keys-portal.md
@@ -7,61 +7,61 @@ ms.service: azure-ai-services
 ms.custom:
   - ignite-2023
 ms.topic: conceptual
-ms.date: 11/15/2023
+ms.date: 10/16/2024
 ms.author: pafarley
 ---
 
 # Customer-managed keys for encryption
 
-Azure AI is built on top of multiple Azure services. While the data is stored securely using encryption keys that Microsoft provides, you can enhance security by providing your own (customer-managed) keys. The keys you provide are stored securely using Azure Key Vault.
+Azure AI is built on top of multiple Azure services. While customer data is stored securely using encryption keys that Microsoft provides by default, you can enhance your security by providing your own (customer-managed) keys. The keys you provide are stored securely in Azure Key Vault.
 
 ## Prerequisites
 
 * An Azure subscription.
-* An Azure Key Vault instance. The key vault contains the key(s) used to encrypt your services.
-
+* An Azure Key Vault instance. The key vault contains the keys used to encrypt your services.
     * The key vault instance must enable soft delete and purge protection.
     * The managed identity for the services secured by a customer-managed key must have the following permissions in key vault:
-
         * wrap key
         * unwrap key
         * get
 
-## Customer-managed keys
-
-When you don't use a customer-managed key, Microsoft creates and manages these resources in a Microsoft owned Azure subscription and uses a Microsoft-managed key to encrypt the data. 
+## What are customer-managed keys?
 
-When you use a customer-managed key, these resources are _in your Azure subscription_ and encrypted with your key. While they exist in your subscription, these resources are managed by Microsoft. They're automatically created and configured when you create your Azure AI resource. 
+By default, Microsoft creates and manages your resources in a Microsoft-owned Azure subscription and uses a Microsoft-managed key to encrypt the data. 
 
-> [!IMPORTANT]
-> When using a customer-managed key, the costs for your subscription will be higher because these resources are in your subscription. To estimate the cost, use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/).
+When you use a customer-managed key, these resources live in _your_ Azure subscription and are encrypted with your own key. While they exist in your subscription, these resources are still managed by Microsoft. They're automatically created and configured when you create your Azure AI resource. 
 
-These Microsoft-managed resources are located in a new Azure resource group is created in your subscription. This group is in addition to the resource group for your project. This resource group contains the Microsoft-managed resources that your key is used with. The resource group is named using the formula of `<Azure AI resource group name><GUID>`. It isn't possible to change the naming of the resources in this managed resource group.
+These Microsoft-managed resources are located in a new Azure resource group is created in your subscription. This resource group exists in addition to the resource group for your project. It contains the Microsoft-managed resources that your key is used with. The resource group is named using the formula of `<Azure AI resource group name><GUID>`. It isn't possible to change the naming of the resources in this managed resource group.
 
 > [!TIP]
-> * If your AI resource uses a private endpoint, this resource group will also contain a Microsoft-managed Azure Virtual Network. This VNet is used to secure communications between the managed services and the project. You cannot provide your own VNet for use with the Microsoft-managed resources. You also cannot modify the virtual network. For example, you cannot change the IP address range that it uses.
+> If your AI resource uses a private endpoint, this resource group will also contain a Microsoft-managed Azure Virtual Network. This VNet is used to secure communications between the managed services and the project. You cannot provide your own VNet for use with the Microsoft-managed resources. You also cannot modify the virtual network. For example, you cannot change the IP address range that it uses.
 
 > [!IMPORTANT]
 > If your subscription does not have enough quota for these services, a failure will occur.
 
+> [!IMPORTANT]
+> When using a customer-managed key, the costs for your subscription will be higher because these resources are in your subscription. To estimate the cost, use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/).
+
 > [!WARNING]
-> Don't delete the managed resource group any of the resources automatically created in this group. If you need to delete the resource group or Microsoft-managed services in it, you must delete the Azure AI resources that uses it. The resource group resources are deleted when the associated AI resource is deleted.
+> Don't delete the managed resource group any of the resources automatically created in this group. If you need to delete the resource group or Microsoft-managed services in it, you must delete the Azure AI resources that use it. The resource group resources are deleted when the associated AI resource is deleted.
+
+## Enable customer-managed keys
 
-The process to enable Customer-Managed Keys with Azure Key Vault for Azure AI services varies by product. Use these links for service-specific instructions:
+The process to enable customer-managed keys with Azure Key Vault for Azure AI services varies by product. Use these links for service-specific instructions:
 
-* [Azure OpenAI encryption of data at rest](../openai/encrypt-data-at-rest.md)
-* [Custom Vision encryption of data at rest](../custom-vision-service/encrypt-data-at-rest.md)
-* [Face Services encryption of data at rest](../computer-vision/identity-encrypt-data-at-rest.md)
-* [Document Intelligence encryption of data at rest](../../ai-services/document-intelligence/authentication/encrypt-data-at-rest.md)
-* [Translator encryption of data at rest](../translator/encrypt-data-at-rest.md)
-* [Language service encryption of data at rest](../language-service/concepts/encryption-data-at-rest.md)
-* [Speech encryption of data at rest](../speech-service/speech-encryption-of-data-at-rest.md)
-* [Content Moderator encryption of data at rest](../Content-Moderator/encrypt-data-at-rest.md)
-* [Personalizer encryption of data at rest](../personalizer/encrypt-data-at-rest.md)
+* [Azure OpenAI](../openai/encrypt-data-at-rest.md)
+* [Azure Custom Vision ](../custom-vision-service/encrypt-data-at-rest.md)
+* [Azure AI Face Service ](../computer-vision/identity-encrypt-data-at-rest.md)
+* [Azure AI Document Intelligence ](../../ai-services/document-intelligence/authentication/encrypt-data-at-rest.md)
+* [Azure AI Translator ](../translator/encrypt-data-at-rest.md)
+* [Azure AI Language service ](../language-service/concepts/encryption-data-at-rest.md)
+* [Azure AI Speech ](../speech-service/speech-encryption-of-data-at-rest.md)
+* [Azure Content Moderator ](../Content-Moderator/encrypt-data-at-rest.md)
+* [Azure Personalizer ](../personalizer/encrypt-data-at-rest.md)
 
 ## How compute data is stored
 
-Azure AI uses compute resources for compute instance and serverless compute when you fine-tune models or build flows. The following table describes the compute options and how data is encrypted by each one:
+Azure AI uses resources for compute instance and serverless compute when you fine-tune models or build flows. The following table describes the compute options and how data is encrypted by each one:
 
 | Compute | Encryption |
 | ----- | ----- |
@@ -84,7 +84,7 @@ Each virtual machine also has a local temporary disk for OS operations. If you w
 * Resources that are created in the Microsoft-managed Azure resource group in your subscription can't be modified by you or be provided by you at the time of creation as existing resources.
 * You can't delete Microsoft-managed resources used for customer-managed keys without also deleting your project.
 
-## Next steps
+## Related content
 
 * [Azure AI services Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is still required for Speech and Content Moderator.
 * [What is Azure Key Vault](/azure/key-vault/general/overview)?
