Ensure Storage for Critical Data are Encrypted with Customer Managed Keys

By default, data in the storage account is encrypted using Microsoft Managed Keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage this encryption key yourself, you can specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated Key Vault.

Risk Level: Low
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.27
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

StorageAccount should have encryption.keySource='Microsoft.Keyvault'

REMEDIATION

From Portal

  1. Sign on to Azure portal and navigate to 'Storage Accounts'.
  2. For each storage account, go to 'Encryption'.
  3. Ensure that Encryption type is set to 'Customer Managed Keys'.
  4. Click Save

From TF
Set the 'key_vault_id' argument under azurerm_storage_account_customer_managed_key as below:

resource "azurerm_storage_account_customer_managed_key" "example" {
	..
	storage_account_id   = "azurerm_storage_account.example.id"
	key_vault_id         = "azurerm_key_vault.example.id"
	key_name             = "azurerm_key_vault_key.example.name"
	..
}

From Command Line
To configure customer-managed keys with automatic updating of the key version with Azure CLI:

keyVaultUri=$(az keyvault show --name KEYVAULT --resource-group RESOURCEGROUP --query properties.vaultUri --output tsv)
az storage account update --name STORAGEACCOUNT --resource-group RESOURCEGROUP --encryption-key-name KEY --encryption-key-source Microsoft.Keyvault --encryption-key-vault $keyVaultUri

References

  1. https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview
  2. https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_customer_managed_key#key_vault_id
  4. https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=azure-cli

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

  • Azure CIS Foundations v. 1.0.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.3.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard SOC2 based on AICPA TSC 2017
  • Azure Dashboard System Ruleset
  • Azure GDPR Readiness
  • Azure HIPAA
  • Azure HITRUST v9.5.0
  • Azure ISO 27001:2013
  • Azure ITSG-33
  • Azure LGPD regulation
  • Azure NIST 800-53 Rev 4
  • Azure NIST 800-53 Rev 5
  • Azure New Zealand Information Security Manual (NZISM) v.3.4
  • Azure PCI-DSS 3.2
  • CloudGuard Azure All Rules Ruleset