updated CMK article about key rotation

MGoedtel · MGoedtel · commit 50edad52e203 · 2022-07-18T14:38:56.000-04:00
diff --git a/articles/aks/azure-disk-customer-managed-keys.md b/articles/aks/azure-disk-customer-managed-keys.md
@@ -3,21 +3,27 @@ title: Use a customer-managed key to encrypt Azure disks in Azure Kubernetes Ser
 description: Bring your own keys (BYOK) to encrypt AKS OS and Data disks.
 services: container-service
 ms.topic: article
-ms.date: 1/9/2022
+ms.date: 07/18/2022
 
 ---
 
 # Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service (AKS)
 
-Azure Storage encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for encryption at rest for both the OS and data disks for your AKS clusters. Learn more about customer-managed keys on [Linux][customer-managed-keys-linux] and [Windows][customer-managed-keys-windows].
+Azure Storage encrypts all data in a storage account at rest. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for encryption at rest for both the OS and data disks for your AKS clusters.
+
+Learn more about customer-managed keys on [Linux][customer-managed-keys-linux] and [Windows][customer-managed-keys-windows].
 
 ## Limitations
+
 * Data disk encryption support is limited to AKS clusters running Kubernetes version 1.17 and above.
 * Encryption of OS disk with customer-managed keys can only be enabled when creating an AKS cluster.
 
 ## Prerequisites
+
 * You must enable soft delete and purge protection for *Azure Key Vault* when using Key Vault to encrypt managed disks.
 * You need the Azure CLI version 2.11.1 or later.
+* Customer-managed keys are only supported in Kubernetes versions 1.17 and higher.
+* If you choose to rotate (change) your keys periodically, see [Customer-managed keys and encryption of Azure managed disk](../virtual-machines/disk-encryption.md) for more information.
 
 ## Create an Azure Key Vault instance
 
@@ -41,7 +47,7 @@ az keyvault create -n myKeyVaultName -g myResourceGroup -l myAzureRegionName  --
 ## Create an instance of a DiskEncryptionSet
 
 Replace *myKeyVaultName* with the name of your key vault.  You will also need a *key* stored in Azure Key Vault to complete the following steps.  Either store your existing Key in the Key Vault you created on the previous steps, or [generate a new key][key-vault-generate] and replace *myKeyName* below with the name of your key.
-    
+
 ```azurecli-interactive
 # Retrieve the Key Vault Id and store it in a variable
 $keyVaultId=az keyvault show --name myKeyVaultName --query "[id]" -o tsv
@@ -54,7 +60,7 @@ az disk-encryption-set create -n myDiskEncryptionSetName  -l myAzureRegionName
 ```
 
 > [!IMPORTANT]
-> Ensure your AKS cluster identity has read permission of DiskEncryptionSet
+> Ensure your AKS cluster identity has **read** permission of DiskEncryptionSet
 
 ## Grant the DiskEncryptionSet access to key vault
 
@@ -70,7 +76,7 @@ az keyvault set-policy -n myKeyVaultName -g myResourceGroup --object-id $desIden
 
 ## Create a new AKS cluster and encrypt the OS disk
 
-Create a **new resource group** and AKS cluster, then use your key to encrypt the OS disk. Customer-managed keys are only supported in Kubernetes versions greater than 1.17. 
+Create a **new resource group** and AKS cluster, then use your key to encrypt the OS disk.
 
 > [!IMPORTANT]
 > Ensure you create a new resoruce group for your AKS cluster
@@ -86,20 +92,23 @@ az group create -n myResourceGroup -l myAzureRegionName
 az aks create -n myAKSCluster -g myResourceGroup --node-osdisk-diskencryptionset-id $diskEncryptionSetId --kubernetes-version KUBERNETES_VERSION --generate-ssh-keys
 ```
 
-When new node pools are added to the cluster created above, the customer-managed key provided during the create is used to encrypt the OS disk.
+When new node pools are added to the cluster created above, the customer-managed key provided during the create process is used to encrypt the OS disk.
 
 ## Encrypt your AKS cluster data disk(optional)
-OS disk encryption key will be used to encrypt data disk if key is not provided for data disk from v1.17.2, and you can also encrypt AKS data disks with your other keys.
+
+OS disk encryption key is used to encrypt the data disk if the key is not provided for data disk from AKS version 1.17.2. You can also encrypt AKS data disks with your other keys.
 
 > [!IMPORTANT]
-> Ensure you have the proper AKS credentials. The managed identity will need to have contributor access to the resource group where the diskencryptionset is deployed. Otherwise, you will get an error suggesting that the managed identity does not have permissions.
+> Ensure you have the proper AKS credentials. The managed identity needs to have contributor access to the resource group where the diskencryptionset is deployed. Otherwise, you'll get an error suggesting that the managed identity does not have permissions.
 
 ```azurecli-interactive
 # Retrieve your Azure Subscription Id from id property as shown below
 az account list
 ```
 
-```
+The following example resembles output from the command:
+
+```output
 someuser@Azure:~$ az account list
 [
   {
@@ -131,7 +140,9 @@ parameters:
   kind: managed
   diskEncryptionSetID: "/subscriptions/{myAzureSubscriptionId}/resourceGroups/{myResourceGroup}/providers/Microsoft.Compute/diskEncryptionSets/{myDiskEncryptionSetName}"
 ```
-Next, run this deployment in your AKS cluster:
+
+Next, run the following commands to update your AKS cluster:
+
 ```azurecli-interactive
 # Get credentials
 az aks get-credentials --name myAksCluster --resource-group myResourceGroup --output table
