Detections
Analytics

6.1.1.3 Ensure the storage account containing the container with activity logs is encrypted with customer-managed key (CMK)

Information

Customer-managed keys introduce additional depth to security by providing a means to manage access control for encryption keys. Where compliance and security frameworks indicate the need, and organizational capacity allows, sensitive data at rest can be encrypted using customer-managed keys (CMK) rather than Microsoft-managed keys.

By default in Azure, data at rest tends to be encrypted using Microsoft-managed keys. If your organization wants to control and manage encryption keys for compliance and defense-in-depth, customer-managed keys can be established.

Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

While it is possible to automate the assessment of this recommendation, the assessment status for this recommendation remains 'Manual' due to ideally limited scope. The scope of application-which workloads CMK is applied to-should be carefully considered to account for organizational capacity and targeted to workloads with specific need for CMK.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remediate from Azure Portal

 - Go to Monitor.
 - Select Activity log.
 - Select Export Activity Logs.
 - Select a Subscription.
 - Note the name of the Storage Account for the diagnostic setting.
 - Navigate to Storage accounts.
 - Click on the storage account.
 - Under Security + networking, click Encryption.
 - Next to Encryption type, select Customer-managed keys.
 - Complete the steps to configure a customer-managed key for encryption of the storage account.

Remediate from Azure CLI

az storage account update --name <name of the storage account> --resource-group <resource group for a storage account> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>

Remediate from PowerShell

Set-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name> -KeyvaultEncryption -KeyVaultUri <key vault URI> -KeyName <key name>

Impact:

If the key expires due to setting the 'activation date' and 'expiration date', the key must be rotated manually.

Using customer-managed keys may also incur additional man-hour requirements to create, store, manage, and protect the keys as needed.

See Also

https://workbench.cisecurity.org/benchmarks/21611

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: microsoft_azure

Control ID: 61c6eb2d76a05e5ffe12c029ecab2f0d94f6879456b0d359d9e1d26709cf2917