Skip to content

Commit 60b487f

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #231568 from schaffererin/aks-kv-access
adding note per gh feedback regarding proper permissions to ensure access to key vault keys
2 parents e08c925 + 1012623 commit 60b487f

File tree

1 file changed

+8
-5
lines changed

1 file changed

+8
-5
lines changed

articles/aks/enable-host-encryption.md

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ This feature can only be set at cluster creation or node pool creation time.
3434

3535
## Use host-based encryption on new clusters
3636

37-
Configure the cluster agent nodes to use host-based encryption when the cluster is created.
37+
Configure the cluster agent nodes to use host-based encryption when the cluster is created.
3838

3939
```azurecli-interactive
4040
az aks create --name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --enable-encryption-at-host
@@ -52,12 +52,13 @@ az aks nodepool add --name hostencrypt --cluster-name myAKSCluster --resource-gr
5252

5353
If you want to create new node pools without the host-based encryption feature, you can do so by omitting the `--enable-encryption-at-host` parameter.
5454

55-
## Next steps
56-
57-
Review [best practices for AKS cluster security][best-practices-security]
58-
Read more about [host-based encryption](../virtual-machines/disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data).
55+
> [!NOTE]
56+
> After you enable host-based encryption on your cluster, make sure you provide the proper access to your Azure Key Vault to enable encryption at rest. For more information, see [Control access][control-keys] and [Azure built-in roles for Key Vault data plane operations][akv-built-in-roles].
5957
58+
## Next steps
6059

60+
- Review [best practices for AKS cluster security][best-practices-security].
61+
- Read more about [host-based encryption](../virtual-machines/disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data).
6162
<!-- LINKS - external -->
6263

6364
<!-- LINKS - internal -->
@@ -70,3 +71,5 @@ Read more about [host-based encryption](../virtual-machines/disk-encryption.md#e
7071
[az-feature-register]: /cli/azure/feature#az_feature_register
7172
[az-feature-list]: /cli/azure/feature#az_feature_list
7273
[az-provider-register]: /cli/azure/provider#az_provider_register
74+
[control-keys]: ../key-vault/general/best-practices.md#control-access-to-your-vault
75+
[akv-built-in-roles]: ../key-vault/general/rbac-guide.md#azure-built-in-roles-for-key-vault-data-plane-operations

0 commit comments

Comments
 (0)