🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

Description

Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).

Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

Remediation

From Azure Portal

  1. Navigate to the Storage accounts blade.
  2. Click on the storage account.
  3. Under Security + networking, click Encryption.
  4. Next to Encryption type, select Customer-managed keys.
  5. Complete the steps to configure a customer-managed key for encryption of the storage account.

From Azure CLI

az storage account update --name <name of the storage account> --resource- group <resource group for a storage account> --encryption-key- source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> -- encryption-key-name <KeyName> --encryption-key-version <Key Version>

From PowerShell

Set-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name> -KeyvaultEncryption -KeyVaultUri <key vault URI> -KeyName <key name>

Default Value

By default, for a storage account keySource is set to Microsoft.Storage allowing encryption with vendor Managed key and not a Customer Managed Key.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_5_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_5_1_4 --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
    when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'
    else 'alarm'
  end as status,
  case
    when a.encryption_key_source = 'Microsoft.Keyvault'
      then a.name || ' container insights-activity-logs encrypted with BYOK.'
    else a.name || ' container insights-activity-logs not encrypted with BYOK.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_container c,
  azure_storage_account a,
  azure_subscription sub
where
  c.name = 'insights-activity-logs'
  and c.account_name = a.name
  and sub.subscription_id = a.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.1.4
cis_level = 2
cis_section_id = 5.1
cis_type = automated
cis_version = v2.0.0
plugin = azure
service = Azure/Monitor