standard
turbot/azure_cis
Get Involved
Version
Pipeline: 6.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
Description
Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).
Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.
Remediation
From Azure Portal
- Go to
Monitor
. - Select
Activity log
. - Select
Export Activity Logs
. - Select a
Subscription
. - Note the name of the
Storage Account
for the diagnostic setting. - Navigate to
Storage accounts
. - Click on the storage account.
- Under
Security + networking
, clickEncryption
. - Next to
Encryption type
, selectCustomer-managed keys
. - Complete the steps to configure a customer-managed key for encryption of the storage account.
From Azure CLI
az storage account update --name <name of the storage account> --resource-group <resource group for a storage account> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>
From PowerShell
Set-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name> -KeyvaultEncryption -KeyVaultUri <key vault URI> -KeyName <key name>
Default Value
By default, for a storage account keySource
is set to Microsoft.Storage
allowing encryption with vendor Managed key and not a Customer Managed Key.
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run azure_cis.pipeline.cis_v300_6_1_3
Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = azure_cis.pipeline.cis_v300_6_1_3 }
Params
Name | Type | Required | Description | Default |
---|---|---|---|---|
database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
Outputs
This pipeline has no outputs.
Tags
folder = CIS v3.0.0/6 Logging and Monitoring/6.1 Configuring Diagnostic Settings