Description:
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).
Rationale:
Configuring the storage account with the activity log export container to use BYOK (Use Your Own Key) provides additional confidentiality controls on log data as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.
Impact:
For enterprises that elect to use encryption to protect their data, securing their encryption keys is of paramount importance. By using Bring Your Own Key (BYOK), it provides an encryption key management system that allows enterprises to encrypt their data and retain control and management of their encryption keys.
Default Value:
By default, for a storage account key source is set to Microsoft.Storage allowing encryption with vendor Managed key and not the BYOK (Use Your Own Key).
Audit:
From Azure Console
- Search for Storage accounts to access Storage account blade
- Click on the storage account name
- In Section Security + networking click Encryption. It will show Storage service encryption configuration pane
- Check to Use your own key which will expand Encryption Key Settings
- Check that Enter key URI or Select from Key Vault is checked with your own key
Using Azure Command-Line Interface 2.0
Get storage account id configured with log profile:
az monitor log-profiles list --query [*].storageAccountId
Ensure the storage account is encrypted with CMK:
az storage account list --query "[?name=='<Storage Account Name>']"
In command, output ensures the key source is set to Microsoft.Key vault and keyVaultProperties is not set to null
Remediation:
From Azure Console
- Search for Storage accounts to access Storage account blade
- Click on the storage account name
- In Section Security + networking click Encryption. It will show Storage service encryption configuration pane
- Check to Use your own key which will expand Encryption Key Settings
- Use option Enter key URI or Select from Key Vault to set up encryption with your own key
Using Azure Command-Line Interface 2.0
az storage account update --name <name of the storage account> --resource- group <resource group for a storage account> --encryption-key- source=Microsoft.Keyvault --encryption-key-vault <Key Valut URI> -- encryption-key-name <KeyName> --encryption-key-version <Key Version>
Backout Plan:
Search for Storage accounts to access Storage account blade
Click on the storage account name
In Section Security + networking click Encryption. It will show Storage service encryption configuration pane
Click on Encryption Type and enable Microsoft-managed keys
Using Azure Command Line Interface 2.0
1
az storage account update --name <name of the storage account> --resource- group <resource group for