Control: 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
Description
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).
Configuring the storage account with the activity log export container to use BYOK (Use Your Own Key) provides additional confidentiality controls on log data as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.
By default, for a storage account keySource is set to Microsoft.Storage
allowing encryption with vendor Managed key and not the BYOK (Use Your Own Key).
Remediation
From Console
- In right column, Click service Storage Accounts to access Storage account blade
- Click on the storage account name
- In Section
Security + networking
click Encryption. It will show Storage service encryption configuration pane - In
Encryption selection
check Customer-managed keys is selected. - Use option Enter
Key URI
orSelect from Key Vault
to set up encryption with your own key
From Command Line
az storage account update --name <name of the storage account> --resourcegroup <resource group for a storage account> --encryption-keysource=Microsoft Keyvault --encryption-key-vault <Key Valut URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_5_1_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_5_1_4 --share
SQL
This control uses a named query:
monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok