standard
turbot/azure_cis

Pipeline: 6.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key

Description

Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).

Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

Remediation

From Azure Portal

  1. Go to Monitor.
  2. Select Activity log.
  3. Select Export Activity Logs.
  4. Select a Subscription.
  5. Note the name of the Storage Account for the diagnostic setting.
  6. Navigate to Storage accounts.
  7. Click on the storage account.
  8. Under Security + networking, click Encryption.
  9. Next to Encryption type, select Customer-managed keys.
  10. Complete the steps to configure a customer-managed key for encryption of the storage account.

From Azure CLI

az storage account update --name <name of the storage account> --resource-group <resource group for a storage account> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>

From PowerShell

Set-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name> -KeyvaultEncryption -KeyVaultUri <key vault URI> -KeyName <key name>

Default Value

By default, for a storage account keySource is set to Microsoft.Storage allowing encryption with vendor Managed key and not a Customer Managed Key.

Run the pipeline

To run this pipeline from your terminal:

flowpipe pipeline run azure_cis.pipeline.cis_v300_6_1_3

Use this pipeline

To call this pipeline from your pipeline, use a step:

step "pipeline" "step_name" {
pipeline = azure_cis.pipeline.cis_v300_6_1_3
}

Params

NameTypeRequiredDescriptionDefault
database
connection.steampipe
YesDatabase connection string.connection.steampipe.default
notifier
notifier
YesThe name of the notifier to use for sending notification messages.notifier.default
notification_level
string
YesThe verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'.info

Outputs

This pipeline has no outputs.

Tags

folder = CIS v3.0.0/6 Logging and Monitoring/6.1 Configuring Diagnostic Settings