Storage account containing the blob container with activity logs should be encrypted with Customer Managed Key

Description

Storage accounts with activity log exports have the option to utilize Customer Managed Keys (CMKs) for encryption. By default, storage accounts use vendor managed keys for encryption. However, configuring the storage account to use CMKs enhances confidentiality controls on log data, requiring the user to have read permission on the storage account and decrypt permission by the CMK. It is important to note that setting up a key vault is necessary to use CMKs, as all Audit Logs are encrypted using a key provided by the user. The user is responsible for managing the lifecycle of the keys and replacing them at regular intervals to maintain data security.

Remediation

From the console

  1. Navigate to the Storage accounts blade.
  2. Click on the storage account.
  3. Under Security + networking, click Encryption.
  4. Next to Encryption type, select Customer-managed keys.
  5. Complete the steps to configure a customer-managed key for encryption of the storage account.

From the command line

az storage account update --name <name of the storage account> --resource- group <resource group for a storage account> --encryption-key- source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> -- encryption-key-name <KeyName> --encryption-key-version <Key Version>

Using PowerShell

Set-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name> -KeyvaultEncryption -KeyVaultUri <key vault URI> -KeyName <key name>

References

  1. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest
  2. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=cli#managing-legacy-log-profiles