Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).

Risk Level: Low
Cloud Entity: Log Profile
CloudGuard Rule ID: D9.AZU.CRY.16
Covered by Spectral: Yes
Category: Global

GSL LOGIC

LogProfile should have properties.storageAccountEncryption.keyVault

REMEDIATION

From Portal

Go to 'Storage accounts' and choose your storage account
Select 'Encryption' under 'Security+Networking' in the navigation menu
It will show Storage service encryption configuration pane.Select Customer-managed keys which will expand Encryption Key Settings.
Use option Enter key URI or Select from Key Vault to set up encryption with your own key
Save

From TF
Set the 'key_vault_id' and 'key_name' argument as below:

resource "azurerm_storage_account_customer_managed_key" "example" {
	..
	key_vault_id = KEYVAULTID
	key_name = KEYVAULTNAME
	..
}

From Command Line
Run

az storage account update --name STORAGEACCOUNTNAME --resource-group RESOURCEGROUPNAME --encryption-key-source=Microsoft.Keyvault --encryption-key-vault KEYVAULTURI --encryption-key-name KEYNAME --encryption-key-version KEYVERSION

References

Log Profile

The Azure activity log captures control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Log Profile defines the type of events that are stored or streamed and the outputsï¿½ï¿½ï¿½storage account and/or event hub. The Log Profile, if configured properly, can ensure that all activity logs are retained for longer dur

Compliance Frameworks

Azure CIS Foundations v. 1.1.0
Azure CIS Foundations v. 1.2.0
Azure CIS Foundations v. 1.3.0
Azure CIS Foundations v. 1.3.1
Azure CIS Foundations v. 1.4.0
Azure CIS Foundations v. 1.5.0
Azure CIS Foundations v.2.0
Azure CloudGuard Best Practices
Azure ITSG-33
Azure NIST 800-53 Rev 5
CloudGuard Azure All Rules Ruleset

Updated 7 months ago