Skip to main content

πŸ›‘οΈ Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key🟒

  • Contextual name: πŸ›‘οΈ Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key🟒
  • ID: /ce/ca/azure/monitor/diagnostic-logs-export-to-storage-without-cmk
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

  • Internal: dec-x-5c3c2067

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-5c3c20671

Description​

Open File

Description​

Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).

Rationale​

Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.

Impact​

NOTE: You must have your key vault setup to utilize this. All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.

Audit​

This policy flags an Azure Subscription Diagnostic Setting as INCOMPLIANT if the associated Storage Account, the logs being sent to, is not encrypted by a customer-managed key. This is detected when the Encryption Key Source field is not set to Microsoft.Keyvault, indicating that the storage account relies on a Microsoft‑managed key.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to Monitor.
  2. Select Activity log.
  3. Select Export Activity Logs.
  4. Select a Subscription.
  5. Note the name of the Storage Account for the diagnostic setting.
  6. Navigate to Storage accounts.
  7. Click on the storage account.
  8. Under Security + networking, click Encryption.
  9. Next to Encryption type, select Customer-managed keys.
  10. Complete the steps to configure a customer-managed key for encryption of the storage account.

From Azure CLI​

az storage account update --name <name of the storage account> --resource-group <resource group for a storage account> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version>

From PowerShell​

Set-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name> -KeyvaultEncryption -KeyVaultUri <key vault URI> -KeyName <key name>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52c appropriate encryption, cleansing and auditing of devices;1010no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2122no data
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 5.1.6 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)11no data
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 5.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) - Level 2 (Automated)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 6.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) (Automated)1no data
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 7.1.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption57no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration65no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3772no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2627no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1634no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1732no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)521no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)72no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)34no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)132no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)21no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)72no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)34no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)132no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)21no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1819no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1015no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1530no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected164no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected140no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected156no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3133no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31733no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1021no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.712no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1825no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.13no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.225no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.813no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.2925no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-11 Protects Encryption Keys69no data