lacework-global-630
5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (Manual)
note
This rule has been changed to manual, see Permanently Manual Rules for CIS Azure 1.5.0 for details.
Profile Applicability
• Level 2
Description
Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).
Rationale
Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.
Impact
NOTE: You must have your key vault setup to utilize this. All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.
Audit
From Azure Portal
- Go to
Activity log
- Select
Export
- Select
Subscription
- In section
Storage Account
, note the name of the Storage account - Close the
Export Audit Logs
blade. Close theMonitor - Activity Log
blade. - In right column, Click service
Storage Accounts
to access Storage account blade - Click on the storage account name noted in step 4. This will open blade specific to that storage account
- In Section
SETTINGS
clickEncryption
. It will showStorage service encryption
configuration pane. - Ensure
Use your own key
is checked andKey URI
is set.
From Azure CLI
- Get storage account id configured with log profile:
az monitor log-profiles list --query [*].storageAccountId
- Ensure the storage account is encrypted with CMK:
az storage account list --query "[?name=='<Storage Account Name>']"
In command output ensure keySource
is set to Microsoft.Keyvault
and keyVaultProperties
is not set to null
Remediation
From Azure Portal
- In right column, Click service
Storage Accounts
to access Storage account blade - Click on the storage account name
- In Section
SETTINGS
clickEncryption
. It will showStorage service encryption
configuration pane. - Check
Use your own key
which will expandEncryption Key
Settings - Use option
Enter key URI
orSelect from Key Vault
to set up encryption with your own key
From Azure CLI
az storage account update --name <name of the storage account> --resource-group <resource group for a storage account> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>