5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)

Information

The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).

Rationale:

Configuring the storage account with the activity log export container to use BYOK (Use Your Own Key) provides additional confidentiality controls on log data as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

From Azure Console

In right column, Click service Storage Accounts to access Storage account blade

Click on the storage account name

In Section SETTINGS click Encryption. It will show Storage service encryption configuration pane.

Check Use your own key which will expand Encryption Key Settings

Use option Enter key URI or Select from Key Vault to set up encryption with your own key

Using Azure Command Line Interface 2.0

az storage account update --name <name of the storage account> --resource-group <resource group for a storage account> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Valut URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>

Default Value:

By default, for a storage account keySource is set to Microsoft.Storage allowing encryption with vendor Managed key and not the BYOK (Use Your Own Key).

See Also

https://workbench.cisecurity.org/files/3459

Item Details

Category: AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AU-1, 800-53|AU-2, 800-53|IA-5(1), CSCv7|6

Plugin: microsoft_azure

Control ID: 6071d59dd70632b64c94c7430bda6f00634441b065129f7a5defcc01ad09fb3e