Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).
Risk Level: Low
Cloud Entity: Log Profile
CloudGuard Rule ID: D9.AZU.CRY.16
Covered by Spectral: Yes
Category: Global
GSL LOGIC
LogProfile should have properties.storageAccountEncryption.keyVault
REMEDIATION
From Portal
- Go to 'Storage accounts' and choose your storage account
- Select 'Encryption' under 'Security+Networking' in the navigation menu
- It will show
Storage service encryption
configuration pane.SelectCustomer-managed keys
which will expand Encryption Key Settings. - Use option
Enter key URI
orSelect from Key Vault
to set up encryption with your own key - Save
From TF
Set the 'key_vault_id' and 'key_name' argument as below:
resource "azurerm_storage_account_customer_managed_key" "example" {
..
key_vault_id = KEYVAULTID
key_name = KEYVAULTNAME
..
}
From Command Line
Run
az storage account update --name STORAGEACCOUNTNAME --resource-group RESOURCEGROUPNAME --encryption-key-source=Microsoft.Keyvault --encryption-key-vault KEYVAULTURI --encryption-key-name KEYNAME --encryption-key-version KEYVERSION
References
- https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview?toc=/azure/storage/blobs/toc.json#enable-customer-managed-keys-for-a-storage-account
- https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_customer_managed_key
Log Profile
The Azure activity log captures control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Log Profile defines the type of events that are stored or streamed and the outputs���storage account and/or event hub. The Log Profile, if configured properly, can ensure that all activity logs are retained for longer dur
Compliance Frameworks
- Azure CIS Foundations v. 1.1.0
- Azure CIS Foundations v. 1.2.0
- Azure CIS Foundations v. 1.3.0
- Azure CIS Foundations v. 1.3.1
- Azure CIS Foundations v. 1.4.0
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure ITSG-33
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago