Skip to main content

lacework-global-630

Encrypt the storage account containing the container with activity logs with Customer Managed Key (Manual)

note

This rule has been changed to manual, see Permanently Manual Policies for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 2

Description

Configure storage accounts with the activity log exports to use Customer Managed Keys (CMKs).

Rationale

Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

Impact

NOTE: You must have your key vault setup to utilize this. All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.

Audit

From Azure Portal

  1. Go to Activity log
  2. Select Export
  3. Select Subscription
  4. In section Storage Account, note the name of the Storage account
  5. Close the Export Audit Logs blade. Close the Monitor - Activity Log blade.
  6. In right column, Click service Storage Accounts to access Storage account blade
  7. Click on the storage account name noted in step 4. This will open blade specific to that storage account
  8. In Section SETTINGS click Encryption. It will show Storage service encryption configuration pane.
  9. Ensure Use your own key is checked and Key URI is set.

From Azure CLI

  1. Get storage account id configured with log profile:
az monitor log-profiles list --query [*].storageAccountId
  1. Ensure the storage account is encrypted with CMK:
az storage account list --query "[?name=='<Storage Account Name>']"

In command output ensure keySource is set to Microsoft.Keyvault and keyVaultProperties is not set to null

Remediation

From Azure Portal

  1. Navigate to the Storage accounts blade.
  2. Click the storage account.
  3. Under Security + networking, click Encryption.
  4. Next to Encryption type, select Customer-managed keys.
  5. Complete the steps to configure a customer-managed key for encryption of the storage account.

From Azure CLI

az storage account update --name <name of the storage account> --resource-group <resource group for a storage account> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>

References

https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest