Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)

Description

The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).

Configuring the storage account with the activity log export container to use BYOK (Use Your Own Key) provides additional confidentiality controls on log data as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

By default, for a storage account keySource is set to Microsoft.Storage allowing encryption with vendor Managed key and not the BYOK (Use Your Own Key).

Remediation

From Console

  1. In right column, Click service Storage Accounts to access Storage account blade
  2. Click on the storage account name
  3. In Section Security + networking click Encryption. It will show Storage service encryption configuration pane
  4. In Encryption selection check Customer-managed keys is selected.
  5. Use option Enter Key URIor Select from Key Vault to set up encryption with your own key

From Command Line

az storage account update --name <name of the storage account> --resourcegroup <resource group for a storage account> --encryption-keysource=Microsoft Keyvault --encryption-key-vault <Key Valut URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v140_5_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v140_5_1_4 --share

SQL

This control uses a named query:

select
  a.id as resource,
  case
    when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'
    else 'alarm'
  end as status,
  case
    when a.encryption_key_source = 'Microsoft.Keyvault'
      then a.name || ' container insights-operational-logs encrypted with BYOK.'
    else a.name || ' container insights-operational-logs not encrypted with BYOK.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_container c,
  azure_storage_account a,
  azure_subscription sub
where
  c.name = 'insights-operational-logs'
  and c.account_name = a.name
  and sub.subscription_id = a.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.1.4
cis_level = 2
cis_section_id = 5.1
cis_type = automated
cis_version = v1.4.0
plugin = azure
service = Azure/Monitor