Storage account containing the blob container with activity logs should be encrypted with Customer Managed Key
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
Storage accounts with activity log exports have the option to utilize Customer Managed Keys (CMKs) for encryption. By default, storage accounts use vendor managed keys for encryption. However, configuring the storage account to use CMKs enhances confidentiality controls on log data, requiring the user to have read permission on the storage account and decrypt permission by the CMK. It is important to note that setting up a key vault is necessary to use CMKs, as all Audit Logs are encrypted using a key provided by the user. The user is responsible for managing the lifecycle of the keys and replacing them at regular intervals to maintain data security.
From the console
- Navigate to the Storage accounts blade.
- Click on the storage account.
- Under Security + networking, click Encryption.
- Next to Encryption type, select Customer-managed keys.
- Complete the steps to configure a customer-managed key for encryption of the storage account.
From the command line
az storage account update --name <name of the storage account> --resource- group <resource group for a storage account> --encryption-key- source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> -- encryption-key-name <KeyName> --encryption-key-version <Key Version>
Using PowerShell
Set-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name> -KeyvaultEncryption -KeyVaultUri <key vault URI> -KeyName <key name>
References
- https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest
- https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=cli#managing-legacy-log-profiles
