Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

MEDIUM

Description

Description:

Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).

Rationale:

Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

NOTE: You must have your key vault setup to utilize this.
All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.

Remediation

From Azure Portal

  1. Navigate to the Storage accounts blade.
  2. Click on the storage account.
  3. Under 'Security + networking', click 'Encryption'.
  4. Next to 'Encryption type', select 'Customer-managed keys'.
  5. Complete the steps to configure a customer-managed key for encryption of the storage account.

From Azure CLI

az storage account update --name --resource-group --encryption-key-source=Microsoft.Keyvault --encryption-key-vault --encryption-key-name --encryption-key-version

From PowerShell

Set-AzStorageAccount -ResourceGroupName -Name -KeyvaultEncryption -KeyVaultUri -KeyName