Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

The storage account with the activity log export container is configured to use BYOK (Use Your Own Key).

Risk Level: Low
Cloud Entity: Log Profile
CloudGuard Rule ID: D9.AZU.CRY.16
Covered by Spectral: Yes
Category: Global


LogProfile should have properties.storageAccountEncryption.keyVault


From Portal

  1. Go to 'Storage accounts' and choose your storage account
  2. Select 'Encryption' under 'Security+Networking' in the navigation menu
  3. It will show Storage service encryption configuration pane.Select Customer-managed keys which will expand Encryption Key Settings.
  4. Use option Enter key URI or Select from Key Vault to set up encryption with your own key
  5. Save

From TF
Set the 'key_vault_id' and 'key_name' argument as below:

resource "azurerm_storage_account_customer_managed_key" "example" {
	key_vault_id = KEYVAULTID
	key_name = KEYVAULTNAME

From Command Line

az storage account update --name STORAGEACCOUNTNAME --resource-group RESOURCEGROUPNAME --encryption-key-source=Microsoft.Keyvault --encryption-key-vault KEYVAULTURI --encryption-key-name KEYNAME --encryption-key-version KEYVERSION


  1. https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview?toc=/azure/storage/blobs/toc.json#enable-customer-managed-keys-for-a-storage-account
  2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_customer_managed_key

Log Profile

The Azure activity log captures control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Log Profile defines the type of events that are stored or streamed and the outputs���storage account and/or event hub. The Log Profile, if configured properly, can ensure that all activity logs are retained for longer dur

Compliance Frameworks

  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset