Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
Enable encryption at rest for PostgreSQL Databases
Risk Level: Low
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.49
Covered by Spectral: No
Category: Storage
GSL LOGIC
StorageAccount should have encryption.requireInfrastructureEncryption=true
REMEDIATION
From Portal
- From Azure Portal select the portal menu in the top left.
- Select Storage Accounts.
- Click on each storage account within each resource group.
- In the overview, under Security, ensure Infrastructure encryption is set to Enabled.
From TF
Set the 'infrastructure_encryption_enabled' to 'true':
resource "azurerm_storage_account" "example" {
..
infrastructure_encryption_enabled = true
..
}
From Command Line
Run
az storage account create --resource-group RESOURCEGROUPNAME --name StorageAccount --location LOCATION --sku SKUNAME --kind StorageV2 --require-infrastructure-encryption
Note : Please note if infrastructure encryption was not enabled on blob storage creation, then there is no official way to enable it.
References
- https://workbench.cisecurity.org/sections/1460909/recommendations/2349068
- https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption#doubly-encrypt-data-with-infrastructure-encryption
- https://learn.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az-storage-account-create
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#infrastructure_encryption_enabled
Azure Storage Account
An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.
Compliance Frameworks
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago