Detections
Analytics

Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)

MEDIUM

Description

Description:

The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).

Rationale:

Configuring the storage account with the activity log export container to use BYOK (Use Your Own Key) provides additional confidentiality controls on log data as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

NOTE: You must have your key vault setup to utilize this.
All Audit Logs will be encrypted with a key you provide. You will need to setup customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.

Remediation

From Azure Console

  1. In right column, Click service 'Storage Accounts' to access Storage account blade
  2. Click on the storage account name
  3. In Section 'SETTINGS' click 'Encryption'. It will show 'Storage service encryption' configuration pane.
  4. Check 'Use your own key' which will expand 'Encryption Key' Settings
  5. Use option 'Enter key URI' or 'Select from Key Vault' to set up encryption with your own key

Using Azure Command Line Interface 2.0

az storage account update --name --resource-group --encryption-key-source=Microsoft.Keyvault --encryption-key-vault --encryption-key-name --encryption-key-version
.

Policy Details

Rule Reference ID: AC_AZURE_0233
CSP: Azure
Remediation Available: No
Domain: Data Protection
Resource: azurerm_storage_account
Resource Category: Storage
Resource Type: Storage Accounts

Frameworks