Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'

Risk Level: Low
Cloud Entity: Azure Storage Account
CloudGuard Rule ID: D9.AZU.CRY.49
Covered by Spectral: No
Category: Storage

GSL LOGIC

StorageAccount should have encryption.requireInfrastructureEncryption=true

REMEDIATION

From Portal

1. From Azure Portal select the portal menu in the top left.
2. Select Storage Accounts.
3. Click on each storage account within each resource group.
4. In the overview, under Security, ensure Infrastructure encryption is set to Enabled.

From TF
Set the 'infrastructure_encryption_enabled' to 'true':

resource "azurerm_storage_account" "example" {
	..
	infrastructure_encryption_enabled  = true
	..
}

From Command Line
Run

az storage account create --resource-group RESOURCEGROUPNAME --name StorageAccount --location LOCATION --sku SKUNAME --kind StorageV2 --require-infrastructure-encryption

Note : Please note if infrastructure encryption was not enabled on blob storage creation, then there is no official way to enable it.

References

1. https://workbench.cisecurity.org/sections/1460909/recommendations/2349068
2. https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption#doubly-encrypt-data-with-infrastructure-encryption
3. https://learn.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az-storage-account-create
4. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account.html#infrastructure_encryption_enabled

Azure Storage Account

An Azure storage account provides a unique namespace to store and access your Azure Storage data objects. All objects in a storage account are billed together as a group. By default, the data in your account is available only to you, the account owner.

Compliance Frameworks

• Azure CIS Foundations v. 1.5.0
• Azure CIS Foundations v.2.0
• Azure CSA CCM v.4.0.1
• Azure CloudGuard Best Practices
• Azure NIST 800-53 Rev 5
• CloudGuard Azure All Rules Ruleset