Your Azure Data Lake Storage Gen2 account stores sensitive customer data. You need to ensure that data is encrypted at rest using customer-managed keys (CMK) and that access to the encryption key is logged. What should you do?
CMK in Key Vault allows customer control, and diagnostics logs capture key access events.
Why this answer
Option D is correct because CMK with Key Vault provides customer-controlled encryption keys, and Key Vault diagnostics logs key access. Option A is wrong because infrastructure encryption uses platform-managed keys. Option B is wrong because SSE with platform-managed keys does not give customer control.
Option C is wrong because Double Encryption uses both platform and customer keys, but the primary requirement is CMK and logging.