5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).


Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.


NOTE: You must have your key vault setup to utilize this. All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


From Azure Portal

In right column, Click service Storage Accounts to access Storage account blade

Click on the storage account name

In Section SETTINGS click Encryption. It will show Storage service encryption configuration pane.

Check Use your own key which will expand Encryption Key Settings

Use option Enter key URI or Select from Key Vault to set up encryption with your own key

From Azure CLI

az storage account update --name <name of the storage account> --resource-group <resource group for a storage account> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>

Default Value:

By default, for a storage account keySource is set to Microsoft.Storage allowing encryption with vendor Managed key and not a Customer Managed Key.

See Also