Plugin Title Log Storage Encryption
Cloud AZURE
Category Storage Accounts
Description Ensures BYOK encryption is properly configured in the Activity Log Storage Account
More Info Storage accounts can be configured to encrypt data-at-rest. By default Azure will create a set of keys to encrypt the storage account, but the recommended approach is to create your own keys using Azure Key Vault.
AWS Link https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys
Recommended Action Ensure the Storage Account used by Activity Logs is configured with a BYOK key.


Detailed Remediation Steps

  1. Log into the Microsoft Azure Management Console.
  2. Select the "Search resources, services, and docs" option at the top and search for Monitor.
  3. Select the "Log Activity" on the "Monitor-Overview" page.
  4. On the "Activity Log" page, click on the "Diagnostics Settigns" at the top.
  5. On the "Diagnostics settings" page, copy the "Storage account" name for the "Activity Log".
  6. Select the "Search resources, services, and docs" option at the top and search for "Storage account."
  7. Paste the "Storage account" name on the "Filter" option at the top, copied in Step 5 and select the corresponding "Storage account."
  8. Scroll down the "Storage account" navigation panel and choose "Encryption" option under the "Settings."
  9. On the "Encryption page" scroll down and check "Use your own key" setting configuration. If "Use your own key" setting checkbox is not checked, then "BYOK encryption" is not configured in the Activity Log Storage Account.
  10. Repeat steps number 2 - 9 to verify other "Log Storage Encryptions" in the Azure account.
  11. Navigate to "Storage account", select the corresponding "Storage account", scroll down the left navigation panel and choose "Encryption."
  12. On the "Encyption page" select the "Use your own key" and click on the "Select from Key Vault".
  13. On the "Key vault" option select the vault accordingly.
  14. On the "Encryption key" option select the key accordingly.
  15. Click on the "Save" option at the top to make the changes.
  16. Repeat steps number 11 - 15 to ensure the Storage Account used by Activity Logs is configured with a BYOK key.

Want to scan for this risk automatically?

Get Started Now