Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 6.1.1.3 Ensure the storage account containing the container with activity logs is encrypted with customer-managed key (CMK)

Description

Customer-managed keys introduce additional depth to security by providing a means to manage access control for encryption keys. Where compliance and security frameworks indicate the need, and organizational capacity allows, sensitive data at rest can be encrypted using customer-managed keys (CMK) rather than Microsoft-managed keys.

Remediation

Remediate from Azure Portal

  1. Go to Monitor.
  2. Select Activity log.
  3. Select Export Activity Logs.
  4. Select a Subscription.
  5. Note the name of the Storage Account for the diagnostic setting.
  6. Navigate to Storage accounts.
  7. Click on the storage account.
  8. Under Security + networking, click Encryption.
  9. Next to Encryption type, select Customer-managed keys.
  10. Complete the steps to configure a customer-managed key for encryption of the storage account.

Remediate from Azure CLI

az storage account update --name <name of the storage account> --resourcegroup <resource group for a storage account> --encryption-keysource=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --
encryption-key-name <KeyName> --encryption-key-version <Key Version>

Remediate from PowerShell

Set-AzStorageAccount -ResourceGroupName <resource group name> -Name <storageaccount name> -KeyvaultEncryption -KeyVaultUri <key vault URI> -KeyName <keyname>

Default Value

By default, encryption type is set to Microsoft-managed keys.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_6_1_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_6_1_1_3 --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
    when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'
    else 'alarm'
  end as status,
  case
    when a.encryption_key_source = 'Microsoft.Keyvault'
      then a.name || ' container insights-activity-logs encrypted with BYOK.'
    else a.name || ' container insights-activity-logs not encrypted with BYOK.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_container c,
  azure_storage_account a,
  azure_subscription sub
where
  c.name = 'insights-activity-logs'
  and c.account_name = a.name
  and sub.subscription_id = a.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 6.1.1.3
cis_level = 2
cis_section_id = 6.1.1
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure/Monitor