Based on the refined input, you can restructure the mail like this so it is clearer and action-oriented.
Subject: Action Required: Cosmos DB CMK Key Vault Access Update – Remediation Options
Dear User,
We are notifying you of an important update regarding encryption key management for your Cosmos DB account(s) using Customer-Managed Keys (CMK) within the UBS Prod tenant.
As per the latest Azure changes, the way Azure Key Vaults are accessed by Cosmos DB is changing. This impacts Cosmos DB accounts using CMK, regardless of whether the Key Vault is centrally managed or maintained within your own subscription.
To avoid service impact, the required remediation must be completed by December 2026.
Impact if no action is taken:
If the required action is not completed before the deadline, the affected Cosmos DB account may enter a failure state and become inaccessible.
Available Remediation Options
Please review and choose one of the following options based on your application setup and ownership model:
Option A: Create a new Key Vault and update Cosmos DB with the new Key Vault URI
This option allows you to continue using CMK by moving the encryption key to a Key Vault managed within your subscription and updating the Cosmos DB configuration with the new keyVaultKeyUri.
High-level steps:
-
Create a new Key Vault with:
- Soft Delete enabled
- Purge Protection enabled
- Valid RSA key of minimum 3072 bits
-
Grant Cosmos DB access to the new Key Vault:
- Assign permissions to the Cosmos DB managed identity
- Required permissions:
get,wrapKey,unwrapKey - Alternatively, assign the RBAC role: Key Vault Crypto Service Encryption User
-
Update Cosmos DB to use the new Key Vault key URI.
-
Allow Cosmos DB to complete the encryption key transition.
-
Validate:
- Read/write operations
customerManagedKeyStatus- Alerts/logs
Option B: Create a new Cosmos DB account with Microsoft-Managed Keys (MMK) and migrate data
Create a new Cosmos DB account configured with Microsoft-Managed Keys and migrate data from the existing CMK-enabled account using container copy.
Option C: Create a new Cosmos DB account using Point-in-Time Restore with MMK configuration
Create a new Cosmos DB account using Point-in-Time Restore and configure the restored account with Microsoft-Managed Keys.
Required Action
Please confirm which remediation option you would like to proceed with for your Cosmos DB account(s). Once confirmed, the Emerging Databases team can guide you on the next steps and required coordination.
For any questions or assistance, please reach out to DL-TS-HS-DB-EMERGINGDB-ENG.
Thanks & Regards,
Emerging Databases Team
0 comments:
Post a Comment