Control: 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
Description
Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).
Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.
Remediation
From Azure Portal
- In right column, Click service
Storage Accountsto access Storage account blade - Click on the storage account name
- In Section
SETTINGSclickEncryption. It will showStorage service encryptionconfiguration pane. - Check
Use your own keywhich will expandEncryption KeySettings - Use option
Enter key URIorSelect from Key Vaultto set up encryption with your own key
From Azure CLI
az storage account update --name <name of the storage account> --resourcegroup <resource group for a storage account> --encryption-keysource=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>
Default Value
By default, for a storage account keySource is set to Microsoft.Storage allowing encryption with vendor Managed key and not a Customer Managed Key.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v150_5_1_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v150_5_1_4 --shareSQL
This control uses a named query:
monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok