iCompaas Support

Description:

Storage Account encryption with Customer Managed Keys (CMK) provides an additional layer of security by using an organization's own Azure Key Vault keys to encrypt data stored in Azure Storage Accounts. This is critical for activity logs that may contain sensitive information, as it ensures that the data is encrypted with a key managed by the customer rather than Azure's default encryption. Ensuring that the Storage Account containing the container with activity logs is encrypted with CMK helps meet compliance and security requirements, particularly for sensitive or regulated data.

Rationale:

Using Customer Managed Keys (CMK) for encryption allows organizations to:

• Retain control over encryption by using their own keys stored in Azure Key Vault.
  

• Meet compliance requirements by ensuring that sensitive data is encrypted in line with regulatory standards.
  

• Improve security by having fine-grained access control over the encryption keys and the ability to rotate them as needed.
  

• Enable key auditing through Azure Key Vault, providing transparency into key usage and access.
  

Impact:

Enabling CMK encryption on the Storage Account for activity logs will ensure that all stored activity logs, including sensitive data, are encrypted according to the organization's security policies. However, the added control over keys may require additional management overhead, including key rotation and monitoring. Additionally, enabling CMK encryption may increase storage costs due to the overhead of key management and access logging.

Default Value:

By default, Azure Storage Accounts use Microsoft-managed keys (MMK) for encryption. Customer Managed Keys (CMK) must be manually configured for encryption.

Pre-requisites:

• Azure subscription with Azure Key Vault configured.
  

• Owner or Contributor role permissions to configure CMK encryption for Storage Accounts.
  

• Key Vault with a key available to be used for encryption.
  

• Activity Logs stored in a Storage Account container.
  

Audit:

1. Sign in to Azure portal as an Owner or Contributor.
   

2. Navigate to the Storage Account containing the container with activity logs.
   

3. Review the Storage Account settings to ensure that encryption is enabled with Customer Managed Key (CMK).
   

Implementation Steps (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to the Storage Account:
   

   • In the Azure portal, search for and select the Storage Account containing the container with activity logs.
     

3. Navigate to Encryption Settings:
   

   • In the Storage Account pane, under the Settings section, select Encryption.
     

4. Enable Encryption with CMK:
   

   • Select the option Customer-Managed Keys (CMK).
     

   • Click Select a Key Vault and choose the appropriate Azure Key Vault that holds the key you want to use for encryption.
     

   • Select the Key from the Key Vault that will be used to encrypt the data.
     

   • Ensure that the Key Vault is configured to allow Azure Storage to access the key.
     

5. Review and Apply Changes:
   

   • Review the settings and confirm that the Storage Account is now configured to use Customer Managed Keys (CMK) for encryption.
     

   • Click Save to apply the changes and enable CMK encryption.
     

6. Verify CMK Encryption:
   

   • After enabling CMK encryption, verify that all activity logs in the Storage Account container are encrypted by checking the Encryption status under the Settings section in the Storage Account.
     

   • You can also test this by accessing the data and checking if access is logged in Azure Key Vault.
     

Automate CMK Encryption using Azure CLI: To automate the configuration of CMK encryption for Azure Storage Accounts, run the following Azure CLI command:

az storage account update \

  --name <Storage-Account-Name> \

  --resource-group <Resource-Group-Name> \

  --encryption-key-source Microsoft.Keyvault \

  --encryption-keyvault <KeyVault-Name> \

  --encryption-key <Key-Name>

7.  Replace <Storage-Account-Name>, <Resource-Group-Name>, <KeyVault-Name>, and <Key-Name> with the appropriate values for your environment.
   

8. Verify CMK Encryption in Log Analytics (Optional):
   

   • You can query Azure Monitor and Log Analytics to verify the encryption status by checking logs related to activity log storage in your environment.
     

9. Monitor and Review Logs:
   

   • Use Azure Monitor to regularly review logs related to encryption and key usage. Set up alerts in Azure Monitor if necessary to track key rotation, access events, or changes to the encryption settings.
     

Backout Plan (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to the Storage Account:
   

   • Go to the Storage Account in the Azure portal.
     

3. Revert to Microsoft Managed Keys:
   

   • In the Storage Account pane, go to Encryption under Settings.
     

   • Change the encryption setting back to Microsoft-managed keys.
     

   • Click Save to revert to the default encryption.
     

4. Verify Encryption Setting:
   

   • Ensure that the Storage Account is no longer using Customer Managed Keys (CMK) for encryption and is reverted to Microsoft-managed keys.
     

5. Test the Backout Configuration:
   

   • Trigger activity (e.g., accessing the container or logs) and ensure that no data is encrypted with CMK. Verify that the encryption has been reverted.
     

References:

• Azure Key Vault - Use Keys to Encrypt Data in Azure Storage
  

• Azure Storage - Encryption with Customer Managed Keys (CMK)
  Azure CLI - Manage Storage Account Encryption